Nova Southeastern UniversityNSUWorks
CEC Theses and Dissertations College of Engineering and Computing
2013
Assessing the Role of User Computer Self-Efficacy,Cybersecurity Countermeasures Awareness, andCybersecurity Skills toward Computer MisuseIntention at Government AgenciesMin Suk ChoiNova Southeastern University, [email protected]
This document is a product of extensive research conducted at the Nova Southeastern University College ofEngineering and Computing. For more information on research and degree programs at the NSU College ofEngineering and Computing, please click here.
Follow this and additional works at: http://nsuworks.nova.edu/gscis_etd
Part of the Computer Sciences Commons
Share Feedback About This Item
This Dissertation is brought to you by the College of Engineering and Computing at NSUWorks. It has been accepted for inclusion in CEC Theses andDissertations by an authorized administrator of NSUWorks. For more information, please contact [email protected].
NSUWorks CitationMin Suk Choi. 2013. Assessing the Role of User Computer Self-Efficacy, Cybersecurity Countermeasures Awareness, and Cybersecurity Skillstoward Computer Misuse Intention at Government Agencies. Doctoral dissertation. Nova Southeastern University. Retrieved fromNSUWorks, Graduate School of Computer and Information Sciences. (119)http://nsuworks.nova.edu/gscis_etd/119.
1
2
Assessing the Role of User Computer Self-Efficacy, Cybersecurity 3
Countermeasures Awareness, and Cybersecurity Skills toward Computer 4
Misuse Intention at Government Agencies 5
6
7
by 8
Min Suk Choi 9
10
11
12
13
14
A dissertation submitted in partial fulfillment of the requirement for the degree of 15
Doctor of Philosophy 16
in 17
Information Systems 18
19
20
21
22
23
24
25
Graduate School of Computer and Information Sciences 26
Nova Southeastern University 27
28
2013 29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
An Abstract of a Dissertation Submitted to Nova Southeastern University in Partial 81
Fulfillment of the Requirements for the Degree of Doctor of Philosophy 82
83
Assessing the Role of User Computer Self-Efficacy, Cybersecurity 84
Countermeasures Awareness, and Cybersecurity Skills toward Computer 85
Misuse Intention at Government Agencies 86
by 87
Min Suk Choi 88
May 2013 89
90
Cybersecurity threats and vulnerabilities are causing substantial financial losses for 91
governments and organizations all over the world. Cybersecurity criminals are stealing 92
more than one billion dollars from banks every year by exploiting vulnerabilities caused 93
by bank users’ computer misuse. Cybersecurity breaches are threatening the common 94
welfare of citizens since more and more terrorists are using cyberterrorism to target 95
critical infrastructures (e.g., transportation, telecommunications, power, nuclear plants, 96
water supply, banking) to coerce the targeted government and its people to accomplish 97
their political objectives. Cyberwar is another major concern that nations around the 98
world are struggling to get ready to fight. It has been found that intentional and 99
unintentional users' misuse of information systems (IS) resources represents about 50% to 100
75% of cybersecurity threats and vulnerabilities to organizations. Computer Crime and 101
Security Survey revealed that nearly 60% of security breaches occurred from inside the 102
organization by users. 103
104
Computer users are one of the weakest links in the information systems security chain, 105
because users seem to have very limited or no knowledge of user computer self-efficacy 106
(CSE), cybersecurity countermeasures awareness (CCA), and cybersecurity skills (CS). 107
Users’ CSE, CCA, and CS play an important role in users’ computer misuse intention 108
(CMI). CMI can be categorized as unauthorized access, use, disruption, modification, 109
disclosure, inspection, recording, or destruction of information system data. This 110
dissertation used a survey to empirically assess users’ CSE, CCA, CS, and computer 111
misuse intention (CMI) at government agencies. This study used Partial Least Square 112
(PLS) technique to measure the fit of a theoretical model that includes seven independent 113
latent variables (CSE, UAS-P, UAS-T, UAC-M, CCS, CIS, & CAS) and their influences 114
on the dependent variable CMI. Also, PLS was used to examine if the six control 115
variables (age, gender, job function, education level, length of working in the 116
organization, & military status such as veteran) had any significant impact on CMI. 117
118
This study included data collected from 185 employees of a local and state transportation 119
agency from a large metropolitan in the northeastern United States. Participants received 120
an email invitation to take the Web-based survey. PLS was used to test the four research 121
hypotheses. The results of the PLS model showed that UAC-M and CIS were significant 122
contributors (p <.05) to CMI. UAC-M was a significant contributor (p <.05) to CCS. 123
UAS-P was a significant contributor (p <.05) to CAS. CSE was the most significant 124
contributor (p < .001) to CCS, while it did not show a significance contribution towards 125
CMI. It can be concluded that UAC-M and CIS play a significant role on CMI. This 126
investigation contributes to the IS and cybersecurity practice by providing valuable 127
information that can be used by government agencies in an effort to significantly reduce 128
computer users’ abuse, while increasing productivity and effectiveness. 129
130
131
132
ACKNOWLEDGEMENTS 133
134
I would like to dedicate this to God for his unconditional love and guidance. To my 135
mother who introduced me to God and showed me that everything is possible with faith 136
and hard work. My two sisters and brother for their prayers, love, and support. To my 137
wife Soojin, kids Dahae, Joohee, Isaac, and Joseph for all the love and joy in my life. 138
139
Special thanks to my advisor, Dr. Yair Levy, for his leadership, guidance, and support 140
throughout this rigorous dissertation process. I have learned so much from Dr. Levy. I 141
also want to thank my committee members, Dr. Anat Zeelim-Hovav and Dr. William L. 142
Hafner for all their helpful comments and support throughout this process. I like to thank 143
Dr. Ling Wang for helping me with IRB. 144
145
Finally, I would like to express my appreciation to Tariq, Steven, Deborah, Jerome, 146
Anthony, Chuck, and others for helping me with the survey. 147
148
vi
149
150
151
Table of Contents 152
153
Abstract iii 154
List of Tables viii 155
List of Figures ix 156 157
Chapters 158
159
1. Introduction 1 160 Background 1 161
Problem Statement 2 162
Research Goals 8 163
Relevance and Significance 13 164
Barriers and Issues 16 165
Definition of Terms 16 166
Summary 19 167
168
2. Review of the Literature 22 169 Introduction 22 170
Computer Self-Efficacy 22 171
User Awareness of Security Policy 24 172
User Awareness of Security-Training Programs 25 173
User Awareness of Computer Monitoring 26 174
User Awareness of Computer Sanctions 27 175
Skills 28 176
Information Technology Skills 29 177
Cybersecurity Skills 31 178
Cybersecurity Computing Skill 33 179
Cybersecurity Initiative Skill 34 180
Cybersecurity Action Skill 35 181
Summary of What is Known and Unknown in Research Literature 38 182
Contributions of this Study 40 183
3. Methodology 42 184 Research Design 42 185
Survey Instrument and Measures 42 186
Validity and Reliability 44 187
Expert Panel 46 188
Sample and Data Collection 47 189
Pre-Analysis Data Screening 48 190
Data Analysis 49 191
Model Fit 50 192
vii
Summary 50 193
194
4. Results 52 195 Overview 52 196
Pre-Analysis Data Screening 53 197
Demographic Analysis 55 198
Validity and Reliability Analyses 57 199
Summary 65 200
201
202
5. Conclusions, Implications, Recommendations, and Summary 67 203 Conclusions 67 204
Study Implications 70 205
Study Limitations 71 206
Recommendations for Future Research 72 207
Summary 73 208
209
Appendices 210 A. Survey Instrument 78 211
B. Approval Letter to Collect Data from MTA Bridges and Tunnels 86 212
C. IRB Approval Letter 87 213
214
References 88 215 216
217
viii
218
219
220
List of Tables 221
222
Tables 223
224 1. Survey question sources 44 225
2. The summary of characteristics of federal employees 45 226
3. Mahalanobis distance extreme values 55 227
4. Descriptive statistics of population 56 228
5. Descriptive statistics of reliability 58 229
6. Latent and Demographic Variables Correlation 59 230
7. Path coefficients significance 60 231
8. CMI mean and CSE mean 64 232
ix
233
234
235
List of Figures 236
237
Figures 238
239 1. The CMI conceptual research map based on GDT 10 240
2. Theory of Reasoned Action 36 241
3. Results of the PLS analysis 63 242
4. Graph of CMI mean and CSE mean 64 243
1
244
245
246
Chapter 1 247
Introduction 248
249
Background 250
The fast growing cybersecurity threats and vulnerabilities are causing substantial 251
financial losses for governments and organizations all over the world (The White House, 252
2009). Cyber-attacks, hacking, and computer misuse by employees are costing millions 253
of dollars to organizations around the world every day (Gal-Or & Ghose, 2005). 254
Cybersecurity breaches have increased rapidly over the years, and they continue growing 255
at an alarming rate (Veiga & Eloff, 2007). One of the biggest challenges nowadays in 256
cybersecurity is the behavior of users due to their limited cybersecurity skills (Thomson 257
& Solms, 2005). Thus, this study focused on assessing the role of user computer self-258
efficacy (CSE), cybersecurity countermeasures awareness (CCA), and cybersecurity 259
skills (CS) toward computer misuse intention (CMI) at government agencies. 260
CSE, CCA, and CS were found to play an important role in reducing CMI, human 261
error in data processing, information theft, digital fraud, and misuse of computer assets in 262
organizations (D’Arcy, Hovav, & Galletta, 2009; Drevin, Kruger, & Steyn, 2007). It 263
appears that users are one of the weakest links in the information systems (IS) security 264
chain, because users seem to have very limited or no knowledge of CSE, CCA, and CS 265
(Albrechtsen, 2007; Clifford, 2008). CSE, CCA, and CS are essential in educating and 266
developing users’ awareness and skills to help reduce cybersecurity vulnerabilities such 267
as CMI (Clifford, 2008; D’Arcy et al., 2009). 268
2
The structure of this document is in the following order. Problem statement, 269
dissertation/research goal, research questions, relevance and significance of the study, 270
brief review of the literature, barriers and issues, approach, results, conclusions, 271
implications, recommendations, summary, resources, and references. 272
273
Problem Statement 274
The research problem that this study addressed was the fast growing cybersecurity 275
threats and vulnerabilities from users’ computer misuse that are causing substantial 276
financial losses for governments and organizations all over the world (Blanke, 2008; 277
D’Arcy et al., 2009; Gal-Or & Ghose, 2005). Axelrod (2006) defined cybersecurity as 278
“the prevention of damage to, unauthorized use of, exploitation of, and, if needed, the 279
restoration of electronic information and communications systems to ensure 280
confidentiality, integrity and availability” (p. 1). Cyber-attacks, hacking, and computer 281
misuse by users (e.g., employees, consultants, contractors, & business partners) are 282
costing millions of dollars to organizations around the world every day (Gal-Or & Ghose, 283
2005). Torkzadeh and Lee (2003) defined users as “individuals who may use codes 284
written by others” (p. 608). Computer users are individuals that interact or use computer 285
software applications in order to perform their work or achieve their intended actions, 286
while do not write computer code on their own (Torkzadeh & Lee, 2003). Straub (1990) 287
defined computer misuse as “unauthorized deliberate and internally recognizable misuse 288
of assets of the local organizational information system by individuals” (p. 527). D’Arcy 289
et al. (2009) defined computer misuse intention as an “individual’s intention to perform a 290
behavior that is defined by the organization as a misuse of IS resources” (p. 81). 291
3
Cybersecurity criminals are stealing more than one billion dollars from banks every year 292
by exploiting vulnerabilities caused by bank users’ computer misuse (Farrell & Riley, 293
2011). It has been found that intentional and unintentional users' misuse of information 294
systems resources represents about 50% to 75% of cybersecurity threats and 295
vulnerabilities to organizations (D’Arcy et al., 2009). D’Arcy and Hovav (2007) claimed 296
that users’ computer misuse is a very serious problem for organizations. Users’ computer 297
misuse includes sending inappropriate emails using their organization’s email, 298
installation of unlicensed and unauthorized computer software, unauthorized 299
modification of computerized data, access to unauthorized computers, password sharing, 300
and password stealing. Blanke (2008) found that users’ computer misuse is one of the 301
biggest cybersecurity issues in organizations all over the world. According to a survey by 302
Ernst and Young, security incidents can cost companies between $17 and $28 million for 303
each occurrence (Veiga & Eloff, 2007). The 2010/2011 Computer Crime and Security 304
Survey (2011) revealed that approximately 59.1% of security breaches occurred from 305
inside the organization by users. A White House report (2009) that addressed the 306
systemic loss of United States (U.S.) economic value estimated that in 2008 alone the 307
loss from intellectual property to data theft was up to one trillion dollars. Cybersecurity 308
breaches have increased rapidly over the years and they continue growing at an alarming 309
rate (Veiga & Eloff, 2007). One of the biggest challenges nowadays in cybersecurity is 310
the behavior of users due to the user’s limited cybersecurity skills (Thomson & Solms, 311
2005). Yet, limited work has been done to study cybersecurity skills, let alone to develop 312
viable instruments to measure such skills. 313
4
Government agencies are not exempt from cybersecurity attacks and 314
vulnerabilities caused by users’ computer misuse. According to Clarke and Knake 315
(2010), several government agencies have been hit by cybersecurity attacks. Many U.S. 316
government agencies such as the Central Intelligence Agency (CIA), Department of 317
Defense (DoD), Department of Homeland Security (DHS), Federal Bureau of 318
Investigation (FBI), and Federal Aviation Administration (FAA) are few examples of 319
agencies that have been attacked by cybercriminals recently (Clarke & Knake, 2010; 320
Rosenzweig, 2012). In addition, cybersecurity breaches are threatening the common 321
welfare of citizens since more and more terrorists are using cyberterrorism to target 322
critical infrastructures (e.g., transportation, telecommunications, power, nuclear plants, 323
water supply, banking) to terrorize and coerce the targeted government and its people to 324
accomplish their political objectives (Foltz, 2004). Terrorist organizations can easily hire 325
outside hackers and users from the targeted organization to work for them (Foltz, 2004). 326
Foltz (2004) defined cyberterrorism as “concerted, sophisticated attacks on networks” (p. 327
154). Cyberwar is another major concern that nations around the world are struggling to 328
get ready to fight (Clarke & Knake, 2010). Clarke and Knake (2010) defined cyberwar as 329
“actions by a nation-state to penetrate another nation’s computers or networks for the 330
purposes of causing damage or disruption” (p. 6). Cybersecurity has become one of the 331
top priorities of the U.S. government (The White House, 2009). President Obama 332
mandated a comprehensive review to assess the national cybersecurity policies and 333
structures in order to evaluate the ever increasing cybersecurity attacks, system 334
vulnerabilities, and information system misuse (The White House, 2009). It is important 335
to understand that cybersecurity criminals, cyber-terrorists, and cyber-warriors are 336
5
exploiting and hacking into IS vulnerabilities that are often caused by users’ intentional 337
and unintentional computer misuse (Blanke 2008; Clarke & Knake, 2010). 338
Users’ computer self-efficacy (CSE), cybersecurity countermeasures awareness 339
(CCA), and cybersecurity skills (CS) play an important role in users’ computer misuse 340
intention (CMI) (Blanke, 2008; D’Arcy et al., 2009; Ruighaver, Maynard, & Chang, 341
2007). Compeau and Higgins (1995) defined self-efficacy “as beliefs about one’s ability 342
to perform a specific behavior” (p. 146). Computer self-efficacy pertains to individuals’ 343
judgment of their capabilities to use computers in various situations to perform a task 344
successfully (Compeau & Higgins, 1995; Chau, 2001; Marakas, Yi, & Johnson, 1998). 345
Compeau and Higgins (1995) claimed that studies have uncovered a close relationship 346
between self-efficacy, skill, and individual behaviors regarding technology usage and 347
adoption. Skill is the combined knowledge, ability, and experience that allow an 348
individual to successfully perform an action, while computer self-efficacy (CSE) is the 349
perception of the ability to successfully perform an action using a computer (Compeau & 350
Higgins, 1995; McCoy, 2010). Chan, Woon, and Kankanhalli (2005) conducted a study 351
based on Compeau and Higgins’ (1995) CSE focusing on breaches in information 352
security. Chan et al. (2005) found that users’ perception of CSE and the organization’s 353
cybersecurity view positively impact their compliant behavior. Their study concluded 354
that compliant behavior can be promoted by increasing users’ CSE and enhancing 355
awareness of the importance of cybersecurity to them and their organization (Chan et al., 356
2005). D’Arcy and Hovav (2009) stated that “research that has examined risky decision 357
making among various groups suggests that there is a significant relationship between 358
perceptions of self-efficacy and risk-taking behavior” (p. 61). Wyatt (1990) found several 359
6
risky behaviors (e.g., computer misuse) among college students and stated that self-360
efficacy was the principle variable influencing risk-taking behavior. D’Arcy and Hovav 361
(2009) found that self-efficacy influences risk-taking behavior through opportunity 362
recognition. They suggested that CSE appears to have different effects depending on the 363
computer misuse activity (i.e., ones that apply to computer savvy users & ones that apply 364
to computer non-savvy users). CCA comprises user awareness of security policy, 365
security-training programs, computer monitoring, and computer sanctions (Aakash, 2006; 366
D’Arcy et al., 2009). D’Arcy et al.’s (2009) study found that cybersecurity 367
countermeasures such as the four aforementioned dimensions of user security and 368
computer awareness are each effective in discouraging users’ CMI. Users’ computer 369
misuse is a serious and very costly threat to an organization’s financial stability (D’Arcy 370
& Hovav, 2007). Although, the aforementioned studies have focused on addressing CMI, 371
these studies have not investigated the role of skills, specifically cybersecurity skills, into 372
their model. 373
Users are one of the weakest links in the IS security chain because many users 374
appear to have limited or no cybersecurity skills (Albrechtsen, 2007; Clifford, 2008). 375
Most users do not understand the importance of protecting computer information 376
systems, and this lack of understanding is reflected in their negligence in cybersecurity 377
practices (Thomson & Solms, 2005). Users cannot be held responsible for cybersecurity 378
problems if they are not educated and trained to acquire the right skills to be able to 379
identify what such security problems are as well as what they should do to prevent them 380
(Solms & Solms, 2004). Boyatzis and Kolb (1991) defined skill as a “combination of 381
ability, knowledge and experience that enables a person to do something well” (p. 280). 382
7
Skill is the ability to understand and make use of different intellectual abilities (i.e. 383
knowledge), combined with the individual’s prior experience to achieve the most 384
appropriate action for the best result. For example, the combined ability, knowledge, and 385
experience to install, configure, and/or maintain antivirus software to protect the 386
operating systems of a computer is a type of a computer skill (Levy, 2005; Torkzadeh & 387
Lee, 2003). For most users, a computer system is a tool to perform their job 388
responsibilities as efficiently as possible, while they view cybersecurity as a barrier rather 389
than a necessity due to their lack of cybersecurity skills (Tsohou, Karyda, Kokolakis, & 390
Kiountouzis, 2006). 391
CSE, CCA, and CS all play an important role in reducing CMI, human error in 392
data processing, information theft, digital fraud, and misuse of computer assets in 393
organizations (D’Arcy et al., 2009; Drevin et al., 2007). Although all of CCA’s user 394
awareness of security policy (UAS-P), user awareness of security-training programs 395
(UAS-T), user awareness of computer monitoring (UAC-M), and user awareness of 396
computer sanctions (UAC-S) play a key role in reducing users’ CMI in their 397
organizations (D’Arcy et al., 2009; Ruighaver et al., 2007), D’Arcy et al. (2009) 398
suggested that perceived severity of sanctions appear to have a significant direct effect on 399
users’ CMI. Unfortunately, organizations are reluctant to invest in CCA programs due to 400
their lack of knowledge of the cybersecurity risks and cost associated with implementing 401
CCA programs (Ruighaver et al., 2007). Thomson and Solms (2005) claimed that 402
cybersecurity should become second nature behavior in users’ daily activity in order to 403
help reduce their computer misuse. Increasing CCA appears to increase users’ 404
perceptions of the negative impact that computer misuse could cause to their organization 405
8
(D’Arcy et al., 2009; Thomson & Solms, 2005). CCA is essential in educating and 406
developing users’ cybersecurity skills to help reduce cybersecurity vulnerabilities 407
(Clifford, 2008; D’Arcy et al., 2009). While significant research has been done in the 408
cybersecurity domain, very little attention has been given to the study of user CMI 409
(D’Arcy et al., 2009; Torkzadeh & Lee, 2003). According to Ajzen (1989), behavioral 410
intention is the individual’s intention to perform or not perform a specific behavior. 411
Based on Ajzen’s definition and for the purpose of this study, CMI is defined as a user’s 412
intention to perform computer misuse. A user’s CMI is the indicator that the individual 413
may have the behavioral intention to use the computer to commit computer misuse in his 414
or her organization and negatively affect cybersecurity. Government agencies are under a 415
lot of pressure to improve cybersecurity (The White House, 2009). Thus, it appears that 416
additional empirical investigation on the role of computer self-efficacy (CSE), 417
cybersecurity countermeasures awareness (CCA), and cybersecurity skills (CS) towards 418
computer misuse intention (CMI) is necessary since cybersecurity plays a crucial part of 419
the world’s economy, infrastructure, and military today (Clarke & Knake, 2010; D’Arcy 420
et al., 2009). 421
422
Research Goals 423
The main goal of this research study was to empirically test a predictive model on 424
the impact of computer self-efficacy (CSE), cybersecurity countermeasures awareness 425
(CCA), and cybersecurity skills (CS) on computer misuse intention (CMI) at government 426
agencies. The need for this study is demonstrated by D’Arcy et al.’s (2009) study on user 427
awareness of security countermeasures and its impact on information systems misuse; 428
9
Blanke’s (2008) research on employee’s intention to commit computer misuse in 429
business environments; Aakash’s (2006) research on antecedents of information system 430
exploitation in organizations; as well as Torkzadeh and Lee’s (2003) study on the 431
measures of user computing skills. D’Arcy et al. (2009) claimed that intentional and 432
unintentional insider misuse of information systems resources (i.e., computer misuse) 433
represents a significant threat to organizations. Blanke (2008) indicated that American 434
businesses alone will lose around $63 billion each year due to employees’ computer 435
misuse. Aakash (2006) pointed out that organizations should invest in cybersecurity 436
awareness programs, education, training, and sanctions to increase employees’ 437
cybersecurity compliance. Torkzadeh and Lee (2003) reported on the need to develop a 438
measuring instrument to properly assess user computing skills. Unfortunately, limited 439
numbers of research studies have been done on CSE, CCA, and CS toward CMI (Blanke, 440
2008; Clarke & Knake, 2010; D’Arcy et al., 2009). D’Arcy et al. (2009) stated that users’ 441
computer misuse is the source of 50% to 75% of security incidents. Therefore, an 442
investigation on user’s CMI appears to be warranted. 443
This study focused on three key independent variables (CSE, CCA, & CS 444
constructs) as potential predictors for CMI as described in Figure 1. The theoretical 445
foundation is based on general deterrence theory (GDT). GDT posits that individuals can 446
be dissuaded from committing antisocial acts through the use of countermeasures, which 447
include strong disincentives and sanctions relative to the act (Straub & Welke, 1998). For 448
example, due to the lack of cybersecurity skills training and sanctions, an organizational 449
user may fail to follow procedures, which leads to data loss, destruction, or a failure of 450
data integrity (Straub & Welke, 1998). 451
10
452
453
454 Figure 1. The CMI conceptual research map based on GDT 455
Cybersecurity computing skill (CCS), cybersecurity initiative skill (CIS), and 456
cybersecurity action skill (CAS) are considered as the three major facets of users’ 457
cybersecurity skill (CS) (Aakash, 2006; Blanke, 2008; Levy, 2005; Torkzadeh & Lee, 458
2003). Levy (2005) defined computing skill as the “ability to use computers and 459
computer networks to analyze data and organize information” (p. 6). He also defined 460
initiative skill as the “ability to seek out and take advantage of opportunities” (p. 6). Levy 461
(2005) defined action skill as the “ability to commit to objectives, to meet deadlines” (p. 462
6). Accordingly, the cybersecurity computing skill was defined in this research as the 463
ability to use protective tools (e.g., encryption) to protect computers and computer 464
networks to secure data and information systems. The cybersecurity initiative skill was 465
defined as the ability to seek out and take advantage of security software (e.g., antivirus 466
11
program) and best practices. Lastly, the cybersecurity action skill was defined as the 467
ability to commit to objectives and to meet security compliance (e.g., laptop encryption). 468
The three facets (i.e., CCS, CIS, & CAS) of users’ cybersecurity skill are important since 469
a user needs to have adequate levels of these three cybersecurity skills combined in order 470
to demonstrate appropriate overall cybersecurity skill (Aakash, 2006; Blanke, 2008; 471
Levy, 2005; Torkzadeh & Lee, 2003). Computer misuse can be described as 472
unauthorized, deliberate, and internally recognizable misuse of assets of the local 473
organizational IS by individuals, including violations against hardware, programs, data, 474
and computer service (Straub, 1986). 475
This research was built on previous studies conducted by D’Arcy et al. (2009), 476
Levy (2005), Blanke (2008), Torkzadeh and Lee (2003), as well as Aakash (2006), by 477
investigating the contributions of users’ CSE, CCA, and CS toward CMI in an attempt to 478
validate a model to assess users’ CMI in a government agency. The first specific goal of 479
this study was to empirically assess CSE and its contribution to CCA dimensions. The 480
second goal of this study was to empirically assess CCA dimensions and its contribution 481
to CS. The third goal of this study was to empirically assess CS and its contribution to 482
CMI. The fourth goal of this study was to empirically assess the contribution of the six 483
control variables: age, gender, job function (i.e., officer, security operator, managerial, 484
operations, technical, professional staff, and administrative staff), education level, length 485
of working in the organization, and military status (e.g., veteran) to CMI. The last goal 486
was to empirically assess the fit of the model by using CCA (i.e., UAS-P, UAS-T, & 487
UAC-M), CCA (i.e., UAS-P, UAS-T, & UAC-M), CS (i.e., CCS, CIS, & CAS), CMI, 488
and control variables. 489
12
The four hypotheses that this study addressed are: 490
H1: Computer self-efficacy (CSE) of users will show significant positive 491
influence on the cybersecurity countermeasures awareness dimensions (UAS-P, 492
UAS-T, & UAC-M). 493
H2a: User awareness of security policy (UAS-P) will show significant positive 494
influence on the three cybersecurity skills (CCS, CIS, & CAS). 495
H2b: User awareness of security-training programs (UAS-T) will show significant 496
positive influence on the three cybersecurity skills (CCS, CIS, & CAS). 497
H2c: User awareness of computer monitoring (UAC-M) will show significant 498
positive influence on the three cybersecurity skills (CCS, CIS, & CAS). 499
H3: The three cybersecurity skills (CCS, CIS, & CAS) of users will show 500
significant negative influence on Computer Misuse Intention (CMI). 501
H4a: Users’ age will show no significant influence on Computer Misuse Intention 502
(CMI). 503
H4b: Users’ gender will show no significant influence on Computer Misuse 504
Intention (CMI). 505
H4c: Users’ job function will show no significant influence on Computer Misuse 506
Intention (CMI). 507
H4d: Users’ education level will show no significant influence on Computer 508
Misuse Intention (CMI). 509
H4e: Users’ length of working in the organization will show no significant 510
influence on Computer Misuse Intention (CMI). 511
13
H4f: Users’ military veteran status (i.e. ‘yes’ or ‘no’) will show no significant 512
influence on Computer Misuse Intention (CMI). 513
514
Relevance and Significance 515
Relevance of this Study 516
There are many protective technologies, such as firewall, antivirus software, and 517
instruction detection systems implemented in organizations to protect them from 518
computer misuse (Dinev, Goo, Hu, & Nam, 2008). These protective technologies, which 519
are designed to protect users from computer viruses, spyware, worms, and other malware 520
(e.g., hacking tools), suffer from many complexities and vulnerabilities such as lack of 521
proper software configuration and updates (Dinev et al., 2008). It appears that 522
information security practitioners and managers pay more attention to protective 523
technologies to mitigate security threats than to the security risks caused by users due to 524
the lack of cybersecurity training and/or skills (Rezgui & Marks, 2008). Rezgui and 525
Marks (2008) defined information security as “the concepts, techniques, technical 526
measures, and administrative measures used to protect information assets from deliberate 527
or inadvertent unauthorized acquisition, damage, disclosure, manipulation, modification, 528
loss, or use” (p. 243). They also defined risk as “the potential that a given threat will 529
exploit vulnerabilities of an asset or group of assets” (Rezgui & Marks, 2008, p. 243). 530
Users play a large role in information security (Veiga & Eloff, 2007). Many users 531
are complacent about potential computer security risks when protective technologies 532
(e.g., antivirus software) are not used or installed in their computer. They are willing to 533
accept the security risks rather than addressing them due to the nuisances caused by 534
14
security measures and cost (Dinev et al., 2008). It appears that fighting effectively against 535
information security risks caused by malicious and harmful applications (e.g., viruses, 536
worms, spyware, or malware) cannot be solely accomplished by using protective 537
information technologies (IT). Therefore, assessing the role of user CSE, CCA, and CS 538
toward CMI seems to be warranted (Blanke, 2008; D’Arcy et al., 2009; Dinev et al., 539
2008; Torkzadeh & Lee, 2003). Dinev et al. (2008) claimed that a “computer user that is 540
aware of the security threats of spyware will be more motivated to use an anti-spyware” 541
(p. 8). The relevance of this study to the fast growing cybersecurity threats and 542
vulnerabilities is by assessing the role of user CSE, CCA, and CS toward CMI. 543
According to the White House (2009), cybersecurity awareness, education, and training 544
are important to develop users’ cybersecurity skills in digital safety, ethics, and security 545
to protect them from ever increasing cybersecurity attacks. This study provides 546
measurable data to cybersecurity practitioners and IT managers. This study helps 547
cybersecurity practitioners and IT managers justify funding for cybersecurity programs 548
for end users’ cybersecurity skill development. In addition, this study contributes to the 549
research community by providing its findings for further research; this study also expands 550
the body of knowledge (BoK) in the area of user CSE, CCA, and CS roles toward CMI 551
(Besnard & Arief, 2004; Blanke, 2008; D’Arcy et al., 2009; Dinev et al., 2008; Rezgui & 552
Marks, 2008; Torkzadeh & Lee, 2003; Veiga & Eloff, 2007; White House, 2009). 553
Significance of this Study 554
The 2010/2011 Computer Crime and Security Survey (2011) revealed that 555
approximately 59.1% of security breaches occurred from inside the organization by users. 556
More than 77% of computer attacks originate in the form of users’ computer misuse as 557
15
they activate viruses and worms embedded in emails and pirated software (e.g., songs, 558
movies, games, or applications) they obtain (Chan et al., 2005). Constantly, users 559
computer misuse, international terrorists, hackers, and cyber-criminal groups are 560
targeting U.S. citizens, commerce, critical infrastructure, and government with the 561
intentions to compromise, steal, change, or completely destroy information (The White 562
House, 2009). Organizations are losing millions of dollars every day due to cybersecurity 563
breaches (The White House, 2009). Today, cybersecurity has a direct impact on and is a 564
threat to the nations’ security; cyberwar is a reality not science fiction anymore (Clarke & 565
Knake, 2010). 566
It appears that intentional and unintentional user computer misuse is one of the 567
greatest cybersecurity threats and vulnerabilities to organizations (Blanke, 2008; D’Arcy 568
et al., 2009). Cybersecurity threats are on a steady rise, thus, the U.S. government is 569
constantly increasing the number of professionals to mitigate cybersecurity threats in 570
both public and private sectors (The White House, 2009). One of the U.S. government’s 571
top priorities is to promote cybersecurity risk awareness for its citizens and build an 572
education system that will enhance understanding of cybersecurity (The White House, 573
2009). The significance of this study stem from the results of the assessment on the role 574
of users’ CSE, CCA, and CS toward CMI at government agencies, as well as the 575
investigation of the impact of users’ CSE, CCA, and CS on CMI. The results of this study 576
were expected to provide better understanding on cybersecurity gaps and threats in 577
government agencies (Aakash, 2006; Besnard & Arief, 2004; Blanke, 2008; D’Arcy et 578
al., 2009; Dinev et al., 2008; Rezgui & Marks, 2008; Torkzadeh & Lee, 2003; Veiga & 579
Eloff, 2007). 580
16
581
Barriers and Issues 582
The main barrier of this study was that cybersecurity studies are not widely 583
conducted in U.S. government agencies due to the government agencies’ strict union 584
rules, organizational politics, as well as managerial support and funding. The first issue of 585
this study was that the participants were not willing to share information about their 586
knowledge of cybersecurity skills due to their concerns about their privacy (Straub, 1986; 587
Straub & Nance, 1990). In order to address the participants’ concern, they were informed 588
that their participation was voluntary. They were told that their survey responses would 589
be anonymous to ensure confidentiality as well as privacy of each participant and that any 590
data collected would be used for this study only. The second issue was that the number of 591
participants was limited. The main reason for the limited sample size was because this 592
cybersecurity survey was voluntary. Therefore, an explanation of the importance of their 593
participation and the value of the results of the study to the organization were 594
communicated to participants and senior management prior to the survey. In addition, the 595
time collecting and analyzing the data was lengthy due to the need of a review of the 596
survey questions by an expert panel before collecting data. Lastly, another issue in 597
conducting this study was the need for institutional review board (IRB) approval. Given 598
that the study involved human subjects, the instruments and protocols used had to be 599
approved by the University’s IRB prior to the study being conducted. IRB approval was 600
obtained to conduct this research study. 601
602
Definition of Terms 603
17
Computer misuse intention (CMI) – An individual’s intention to perform a behavior 604
that is defined by the organization as a misuse of IS resources (D’Arcy et al., 2009). 605
Computer self-efficacy (CSE) – A judgment of one’s capability to use a computer 606
(Compeau & Higgins, 1995). 607
Cybersecurity – Prevention of damage to, unauthorized use of, exploitation of, and, if 608
needed, the restoration of electronic information and communications systems to ensure 609
confidentiality, integrity, and availability (Axelrod, 2006). 610
Cybersecurity action skill (CAS) – The ability to commit to objectives, to meet security 611
compliance (Levy, 2005). 612
Cybersecurity initiative skill (CIS) – The ability to seek out and take advantages of 613
security software (e.g., antivirus program) and best practices (Levy, 2005). 614
Cybersecurity computing skill (CCS) – The ability to use protective tools (e.g., 615
antivirus software) to protect computers and computer networks to secure data and 616
information system (Levy, 2005). 617
Cyberspace – Independent network of IT infrastructures that includes the Internet, 618
telecommunications networks, computer systems, and embedded processors and 619
controllers in critical industries (The White House, 2009). 620
Cyberterrorism – Concerted, sophisticated attacks on networks (Foltz, 2004). 621
Cyberwar – Actions by a nation-state to penetrate another nation’s computers or 622
networks for the purposes of causing damage or disruption (Clarke & Knake, 2010). 623
Information Security - The concepts, techniques, technical measures, and administrative 624
measures used to protect information assets from deliberate or inadvertent unauthorized 625
18
acquisition, damage, disclosure, manipulation, modification, loss, or use (Rezgui & 626
Marks, 2008). 627
Information System (IS) – The system that governs the information technology 628
development, use, application, and influence on a business or corporation (Alvarez, 629
2002). 630
Information Technology (IT) –The acquisition, processing, storage, and dissemination 631
of vocal, pictorial, textual, and numerical information by a microelectronics-based 632
combination of computing and telecommunications (Caputo, 2010). 633
Negative Technologies – Tools used for breaking into systems and databases, such as 634
computer viruses and spyware (Dinev & Hu, 2007). 635
Protective Technologies – Technologies that are designed to deter, neutralize, disable, or 636
eliminate the negative technologies or their effectiveness, such as anti-virus software, 637
anti-spyware, firewalls, and intrusion detection technologies (Dinev & Hu, 2007). 638
Risk – The potential that a given threat will exploit vulnerabilities of an asset or group of 639
assets (Rezgui & Marks, 2008). 640
Risky End-User Computing Behavior – End-users sharing passwords, downloading 641
unauthorized software, and opening emails from unknown sources (Aytes & Connolly, 642
2004). 643
Skill – A combination of ability, knowledge, and experience that enables a person to do 644
something well (Boyatzis & Kolb, 1991). 645
Statistical Package for the Social Sciences® (SPSS) – A software tool utilized to 646
perform data analysis. 647
19
Theory of Reasoned Action (TRA) – Theory that demonstrates the links between 648
attitudes, beliefs, norms, intentions, and behaviors of individuals (Fishbein & Ajzen, 649
1975). 650
User – end-users or computer users are individuals who may develop their own 651
applications or use codes written by others (Torkzadeh & Lee, 2003). 652
User awareness of computer monitoring (UAC-M) – The awareness by users of 653
computer monitoring, which is tracking employees’ Internet use, recording network 654
activities, and performing security audits (D’Arcy et al., 2009). 655
User awareness of computer sanctions (UAC-S) – The punishment for breaking the 656
cybersecurity rules set by the organization (D’Arcy et al., 2009). 657
User awareness of security policy (UAS-P) – The security policies with detailed 658
guidelines for the proper and improper use of organizational IS resources (D’Arcy et al., 659
2009). 660
User awareness of security-training programs (UAS-T) – The programs that focus on 661
providing users with knowledge of the information security policies and skills necessary 662
to perform any required cybersecurity engagements (D’Arcy et al., 2009). 663
Web-based Survey – An online survey that has incorporated the functionality of the 664
Internet (Thomas, 2003). 665
666
Summary 667
Chapter one provided an introduction to this study, identified the research 668
problem, identified barriers to conducting this study, and provided an overall theoretical 669
position. The research problem that this study addressed was the fast growing 670
20
cybersecurity threats and vulnerabilities that are causing substantial financial losses on 671
governments and organizations all over the world. The main focus was on the users’ 672
computer misuse intention (CMI) at government agencies. Valid literature supporting the 673
research problem and the need for this study was presented. 674
This chapter also presented the main goal for this study, and specific goals. The 675
main goal of this research study was to empirically test a predictive model on the impact 676
of computer self-efficacy (CSE), cybersecurity countermeasures awareness (CCA), and 677
cybersecurity skills (CS) on computer misuse intention (CMI) at government agencies. 678
This research was built on previous studies conducted by D’Arcy et al. (2009), Levy 679
(2005), Blanke (2008), Torkzadeh and Lee (2003), as well as Aakash (2006), by 680
investigating the contributions of user’s CSE, CCA, and CS toward CMI in an attempt to 681
validate a model to assess user’s CMI in a government agency. The first specific goal of 682
this study was to empirically assess CSE and its contribution to CCA dimensions. The 683
second goal of this study was to empirically assess CCA dimensions and its contribution 684
to CS. The third goal of this study was to empirically assess CS and its contribution to 685
CMI. The fourth goal of this study was to empirically assess if there is a significant 686
difference on the measured constructs based on age, gender, job function (i.e., job title), 687
education level, length of working in the organization, and military status (e.g., veteran). 688
The last goal was to empirically assess the fit of the model by using CSE, CCA (i.e., 689
UAS-P, UAS-T, & UAC-M), CS (i.e., CCS, CIS, & CAS), CMI, and control variables. 690
There were a total of four hypotheses. H1 tested the CSE influence on the CCA 691
dimensions (i.e., UAS-P, UAS-T, & UAC-M). H2 (i.e., H2a, H2b, & H2c) tested the 692
CCA influence on the CS dimensions (i.e., CCS, CIS, & CAS). H3 tested the CS 693
21
influence on CMI. H4 (i.e., H4a, H4b, H4c, H4d, H4e, H4f, & H4g) tested for differences 694
based on CSE, CCA, CS, and CMI demographics variables. 695
The relevance and significance of the study were also presented in this chapter. 696
According to the literature, researchers are in agreement that more focus needs to be 697
placed on the aspects of users' computer misuse intention (CMI), as this significantly 698
influences the realization of a stronger cybersecurity (Blanke, 2008; D’Arcy et al., 2009; 699
Dinev et al., 2008; Torkzadeh & Lee, 2003). The significance of this study was expected 700
to be in the results of the assessment on the role of user CSE, CCA, and CS toward CMI 701
at government agencies, as well as the investigation of the impact of user CSE, CCA, and 702
CS on CMI. The results of this study provided better understanding on cybersecurity gaps 703
and threats in government agencies (Aakash, 2006; Besnard & Arief, 2004; Blanke, 704
2008; D’Arcy et al., 2009; Dinev et al., 2008; Rezgui & Marks, 2008; Torkzadeh & Lee, 705
2003; Veiga & Eloff, 2007). The methods to address barriers and issues were discussed. 706
The chapter ended with a definition of terms used throughout this study and any related 707
acronyms. 708
22
709
710
711
Chapter 2 712
Review of the Literature 713
714
Introduction 715
The literature review was presented to provide the theoretical foundation for this 716
study. Relevant computer self-efficacy (CSE), cybersecurity countermeasures awareness 717
(CCA) (i.e., UAS-P, UAS-T, & UAC-M), and cybersecurity skills (CS) (i.e., CCS, CIS, 718
& CAS) literature were reviewed as they play an important role in the user CMI in 719
government agencies. As suggested by Hart (1998), the literature review will focus on 720
“appropriate breadth and depth, rigor and consistency, clarity and brevity, and effective 721
analysis and synthesis” (p. 1). Constructs are an important part of the literature review 722
(Hart, 1998). In the following section, the constructs of this study are reviewed to provide 723
an understanding of the constructs, identify prior research that is focused on these 724
constructs, and discuss what is known about the constructs. 725
726
Computer Self-Efficacy 727
The construct of CSE proposed by Compeau and Higgins (1995) was based from 728
the general concept of self-efficacy that was founded on social cognitive theory 729
(Bandura, 1977, 1984). Self-efficacy is defined as “people’s judgments of their 730
capabilities to organize and execute courses of action required to attain designated 731
performances” (Bandura, 1986, p. 391). CSE pertains to individuals’ judgment of their 732
23
capabilities to use computers in various situations (Marakas et al., 1998). Compeau and 733
Higgins (1995) defined self-efficacy “as beliefs about one’s ability to perform a specific 734
behavior” (p. 146). Compeau and Higgins (1995) specified that CSE is “an individual’s 735
perception of his or her ability to use a computer in the accomplishment of a job task” (p. 736
193). Compeau and Higgins (1995) stated that individuals who are more confident in 737
their computer skills are more likely to expect positive results in their computer use. 738
Individuals’ judgment of their ability to complete a task using computers influences their 739
decision on how they will use computers (Piccoli, Ahmad, & Ives, 2001). Research has 740
shown that CSE applies a significant influence on an individual’s decision to use 741
computers to achieve various tasks (Compeau & Higgins, 1995; Marakas et al., 1998). 742
Literature suggests that CSE has a very high reliability and strong validity across 743
different contexts (Levy & Green, 2009). 744
Compeau and Higgins’ (1995) study of 1,020 randomly selected management 745
individuals found that CSE exerted “a significant influence on individuals’ expectations 746
of the outcomes of using computers, their emotional reactions to computers (affect and 747
anxiety) as well as their actual computer use” (p. 189). Compeau and Higgins (1995) 748
concluded that computer users with higher CSE had higher usage of computers, enjoyed 749
using them more, and possessed less computer related anxiety. According to D’Arcy 750
(2006), in a study of 507 individuals that use computers at work, “those that feel more 751
comfortable using computers can better comprehend the messages conveyed in security 752
awareness programs and therefore become more convinced of the organization’s 753
seriousness toward IT security” (p. 158). D’Arcy indicated based on research findings 754
that “computer self-efficacy influenced the effectiveness of security countermeasures” (p. 755
24
175). Compeau, Higgins, and Huff (1999) claimed that studies have uncovered a close 756
relationship between self-efficacy, skill, as well as individual reactions to technology 757
usage and adoption. Levy and Green (2009) found that CSE had a positive influence on 758
users’ perceptions on ease of use and system usefulness. According to Levy and Green 759
(2009), “sailors who are comfortable working with IS and learning to use them on their 760
own, are more likely intended to use such systems” (p. 30). 761
Computer skill pertains to an individual’s ability to utilize computer hardware and 762
software to design, develop, modify, and maintain specific applications for task-related 763
activities (Torkzadeh & Lee, 2003). Computer skills and computer self-efficacy are 764
interrelated due to the nature that both are outcomes of development and transformation 765
of the users’ skill levels (Fischera, 1980; McCoy, 2010). For example, CSE is one’s 766
perceptions about his/her ability to detect and remove hidden-malware in his computer 767
and skill is one’s professed ability to detect and remove the hidden-malware in his/her 768
computer. Torkzadeh, Chang, and Demirhan (2006) suggested that CCA “significantly 769
improved computer and Internet self-efficacy” (p. 541). It appears that CSE plays an 770
important role in influencing users’ perception on CCA (Piccoli et al., 2001). 771
772
User Awareness of Security Policy 773
UAS-P pertains to security policies. D’Arcy et al. (2009) stated that “security 774
policies contain detailed guidelines for the proper and improper use of organizational IS 775
resources” (p. 80). Security policies are similar to societal laws because they provide 776
information of what constitutes unacceptable conduct, which increases the user’s 777
perceived threat of punishment for illegal behavior (J. Lee & Lee, 2002). Straub’s (1990) 778
25
survey of 1,211 organizations found that users’ awareness of security policies were 779
associated with a lower level of users’ computer abuse. When users are not motivated to 780
follow or not aware of security policies designed to protect both users and organizations, 781
security fails (Boss, Kirsch, Angermeier, Shingler, & Boss, 2009). 782
D’Arcy et al. (2009) found that computer policy statements “prohibiting software 783
piracy and warning of its legal consequences resulted in lower piracy intentions” (p. 81). 784
The absence of security policies can lead to a misinterpretation of acceptable computer 785
use by users (Straub, 1990). This can lead users to assume that computer misuse is not 786
subject to enforcement and has little to no consequence (Straub, 1990). The effects of 787
computer security policies on users’ computer misuse intention suggest that users’ 788
awareness of the existence of security policies decreases the probability of engaging in 789
computer misuse (Blanke, 2008; D’Arcy et al., 2009). But more research is needed to 790
better assess the impacts of UAS-P on CMI. 791
792
User Awareness of Security-Training Programs 793
UAS-T pertains to security training programs. Security training programs focus 794
on providing users with knowledge of the information security policies needed to perform 795
any required cybersecurity activities (D’Arcy et al., 2009). D’Arcy et al. (2009) found 796
that information security training programs could help reduce users’ CMI. Information 797
security training programs reinforce acceptable computer usage guidelines and emphasize 798
the potential consequences for computer misuse (D’Arcy et al., 2009). One of the biggest 799
causes of computer security failures is the lack of computer security training programs to 800
develop users’ cybersecurity awareness (Boss et al., 2009). Information security 801
26
researchers have argued that information security training programs are essential in 802
helping users understand the impact of computer misuse (Blanke, 2008; D’Arcy et al., 803
2009). It is important to evaluate the learners' tendency to actually apply what they have 804
learned and the confidence they have developed in their ability (Piccoli et al., 2001). 805
An UAS-T program includes ongoing efforts to convey awareness to users about 806
cybersecurity risks in the organizational environment, emphasizing recent actions against 807
users that committed computer misuse and increasing users’ awareness of their 808
responsibilities regarding organizational information resources (D’Arcy et al., 2009; 809
Straub & Welke, 1998). Straub and Welke (1998) stated that the primary reason for 810
initiating UAS-T programs is to “convince potential abusers that the company is serious 811
about security and will not take intentional breaches of this security lightly” (p. 445). 812
UAS-T has a positive influence on user CS by providing information about acceptable 813
and unacceptable usage of information systems, punishment associated with computer 814
abuse, and awareness of organizational enforcement activities (Wybo & Straub, 1989). 815
Wybo and Straub (1989) found that UAS-T has a positive effect on three cybersecurity 816
skills (CCS, CIS, & CAS). However, additional research is required to better assess the 817
contribution of UAS-T on CS. 818
819
User Awareness of Computer Monitoring 820
UAC-M is often used by organizations to gain compliance with rules and 821
regulations (D’Arcy et al., 2009). D’Arcy et al. (2009) stated that “computer monitoring 822
includes tracking employees’ Internet use, recording network activities, and performing 823
security audits” (p. 80). Computer monitoring of activities appears to deter user computer 824
27
misuse because it increases the perceived chances of detection and punishment for such 825
behavior (D’Arcy et al., 2009; Straub, 1990). Computer monitoring directly influences 826
user computer misuse intention (D’Arcy & Hovav, 2009; Urbaczewski & Jessup, 2002). 827
Studies from criminology and sociology found that monitoring and surveillance 828
help deter users’ computer misuse (Alm & McKee, 2006; D’Arcy et al., 2009). IS studies 829
suggest that computing monitoring can reduce user computer misuse while increasing 830
perceived certainty and severity of sanctions for computer misuse (D’Arcy et al., 2009; 831
Straub & Nance, 1990). Monitoring user computing activities is an active security 832
measure that enables organizations to detect and take appropriate actions on computer 833
misuse (D’Arcy & Hovav, 2009; D’Arcy et al., 2009). It seems that appropriate 834
monitoring practices increase an organization’s ability to prevent intentional computer 835
misuse incidents that are likely to cause financial impact (D’Arcy et al., 2009). D’Arcy et 836
al. (2009) indicated that UAC-M has negative influence on users’ computer misuse 837
intentions (D’Arcy et al., 2009). Torkzadeh and Lee (2003) found that CS plays an 838
important role towards CMI. Therefore, additional research is needed to better assess the 839
impacts of UAC-M on CS. 840
841
User Awareness of Computer Sanctions 842
In the context of UAC-S, general deterrence theory (GDT) theorizes that the 843
greater the certainty and severity of sanctions for banned acts the more users’ intention 844
for committing such behavior is decreased (Gibbs, 1975). Sanction is the punishment for 845
breaking the cybersecurity rules set by the organization (D’Arcy et al., 2009). D’Arcy et 846
al. (2009) defined “certainty of sanctions as the probability of being punished” while 847
28
“severity of sanctions refers to the degree of punishment” (p. 82) in the context of 848
committing computer misuse. Researchers found that sanction fear helps to predict 849
criminal and illegal behaviors (D’Arcy et al., 2009). For example, hacking and stealing 850
intellectual property (e.g., program code) from organizations has more weight on sanction 851
fear than sharing password among co-workers. 852
The effectiveness of UAC-S on perceptions of punishment severity appears to be 853
important because perceived punishment severity is a deterrent to computer misuse 854
(D’Arcy et al., 2009). Sanctions derive from the GDT. This theory suggests that 855
perceived certainty, severity, and celerity of punishment affect people’s decision on CMI 856
(Pahnila, Siponen, & Mahmood, 2007). D’Arcy and Hovav (2009) suggested that the 857
strength of sanctions influences users’ ethical judgments and increases their perception of 858
the negative consequences of committing computer misuse. D’Arcy et al. (2009) found 859
that perceived severity of sanctions had a negative effect on user CMI, but perceived 860
certainty of sanctions did not have a negative impact. Hovav and D’Arcy (2012) found 861
that UAC-S may be significantly different across national cultures (e.g., U.S. vs. Korea). 862
Sanctions have been found to have no significant effect on CMI. This relationship was 863
well documented in literature as not supported (D’Arcy et al., 2009; Pahnila et al., 2007). 864
Therefore, UAC-S was not measured as it is well documented to not have significant 865
factor in the impact of UAC-S on CMI. 866
867
Skills 868
Skill is the ability to understand and make use of different intellectual abilities to 869
achieve the most appropriate action for the best result (Levy, 2005; Torkzadeh & Lee, 870
29
2003). Boyatzis and Kolb (1991) defined skill as a “combination of ability, knowledge 871
and experience that enables a person to do something well” (p. 280). The theory about 872
skill provides predictable development sequences in any field by integrating behavioral 873
and cognitive developmental concepts (Fischera, 1980; Udo, Bagchi, & Kirs, 2010). 874
Cognitive development is the skill structure called developmental levels (Fischera, 1980). 875
The transformation rules define the developmental levels by which a skill moves 876
gradually up from one level to another; on each developmental sequence the individual 877
controls a particular skill (Fischera, 1980). Skills are gradually transformed to produce 878
continuous behavioral changes (Fischera, 1980; Udo et al., 2010). Skills influence 879
people’s experience, attitude, and behavior (Udo et al., 2010). Skills increase a person’s 880
efficiency and positive behavior (Pryor, Cormier, Bateman, Matzke, & Karen, 2010). 881
Users’ skills can be developed and improved when they are aware and engaged in 882
adequate CCA initiatives (Pryor et al., 2010). It appears that cybersecurity 883
countermeasures awareness dimensions (UAS-P, UAS-T, & UAC-M) of users have a 884
positive influence on the three cybersecurity skills (CCS, CIS, & CAS) (Fischera, 1980; 885
Pryor et al., 2010; Udo et al., 2010). Torkzadeh and Lee (2003) found that cybersecurity 886
skills (CCS, CIS, & CAS) play a significant role in CMI. Therefore, it can be concluded 887
that additional research on CS is needed to better assess the impacts of CS on CMI. 888
889
Information Technology Skills 890
Torkzadeh and Lee (2003) claimed that the “effective use of information 891
technology (IT) is considered a major determinant of economic growth, competitive 892
advantage, productivity, and even personal competency” (p. 607). Benitez-Amado, Perez-893
30
Arostegui, and Tamayo-Torres (2010) defined IT as the technological resources that 894
include “hardware, software, databases, applications and networks” (p. 89). IT skills 895
include the domains of management of information systems principles (Caputo 2010; 896
Havelka & Merhout, 2009). IT skill is the knowledge and ability to use computer 897
hardware, software, and procedures to develop specific computer applications 898
(Torkzadeh & Lee, 2003). Furthermore, the knowledge of computer programming 899
languages, use of databases, and computer programs such as antivirus programs are 900
considered to be part of IT skills (Havelka & Merhout, 2009; Torkzadeh & Lee, 2003). 901
There are two types of IT skills: a) soft IT skills and b) hard IT skills (Swinarski, 902
Parente, & Noce, 2010). The soft IT skills cover the IT business, IT project management, 903
and IT team domains, while the hard IT skills cover the computer software, hardware, 904
network, and security domains (Swinarski et al., 2010). IT skills for Information Systems 905
(IS) professionals can be said to be technical, technology management, and interpersonal 906
management skills (Havelka & Merhout, 2009). Havelka and Merhout (2009) developed 907
an IT skills framework consisting of hardware, software, business knowledge, business, 908
management, social, system knowledge, problem solving, and development methodology 909
skills. Havelka and Merhout (2009)’s IT skills framework is an important foundation in 910
the IT field. IT skills can be said to be the foundation of cybersecurity skills because 911
users need an appropriate level of IT skills to effectively learn and utilize their 912
cybersecurity skills (Havelka & Merhout, 2009; Lerouge, Newton, & Blanton, 2005). 913
914
31
Cybersecurity Skills 915
Cybersecurity skills (CS) correspond to the technical knowledge surrounding the 916
hardware and software required to implement information security (Lerouge et al., 2005). 917
According to Lerouge et al. (2005), information system users need an appropriate skill set 918
to effectively utilize cybersecurity functions and innovations. In their case study, Ramim 919
and Levy (2006) found that three of the main causes of system failure were due to users’ 920
limited technology knowledge and skill, users’ computer abuse, as well as the lack of 921
proper cybersecurity policies and procedures. Ramim and Levy (2006) claimed that the 922
majority of cybersecurity attacks come from insiders (e.g., employees), but unfortunately 923
most of the attention is given only to outsiders’ (e.g., hackers) attacks. 924
One of the weakest and most difficult aspects of security governance is the user 925
CS management that consists of user awareness, education and training, ethical conduct, 926
trust, as well as privacy (Rezgui & Marks, 2008; Veiga & Eloff, 2007). The leading 927
reason is because user cybersecurity management deals with humans (e.g., computer 928
users). Besnard and Arief (2004) found that “humans obey least-effort rules because they 929
are cognitive machines that attempt to cheaply reach flexible objectives rather than to act 930
perfectly towards fixed targets” (p. 261). Having users enroll in cybersecurity training 931
and making them comply with the security guidelines could be a daunting process. Users 932
need to understand the importance of cybersecurity skills on both their personal and 933
professional levels (Rezgui & Marks, 2008). Computer users would be more interested in 934
taking the cybersecurity training if they knew the importance of CS to protect their home 935
and organization’s computers from cybersecurity threats (Rezgui & Marks, 2008). 936
32
Users play an important role in contributing to cybersecurity solutions (Straub, 937
1990; Straub & Welke, 1998). The vast majority of IT managers and leaders 938
acknowledge that cybersecurity is important to the organization (Dinev & Hu, 2007; 939
Ruighaver et al., 2007). However, they are reluctant to support and fund cybersecurity 940
initiatives such as training due to the lack of understanding that cybersecurity is 941
everyone’s responsibility; most senior management tend to rely on protective 942
technologies only (Dinev & Hu, 2007; Ruighaver et al., 2007). Users are often resistant to 943
security policies and bypass them, thus exposing their organizations to data loss and 944
cybercrime (Boss et al., 2009). It is worth noting that managers and employees also tend 945
to think of cybersecurity as a second priority compared with their own efficiency or 946
effectiveness matters because the latter have a direct and material impact on the outcome 947
of their work (Besnard & Arief, 2004). Boss et al. (2009) found that “despite the 948
prevalence of technical security measures, individual employees remain the key link – 949
and frequently the weakest link – in corporate defenses” (p.151). 950
Rezgui and Marks (2008) argued that the incompetence of users who 951
underestimate the dangers inherent in their actions represents one of the biggest computer 952
security problems. They stated that CCA should help overcome the users’ cybersecurity 953
incompetence problem by helping them increase their cybersecurity skills. CCA is vital 954
in developing users’ CS (Fischera, 1980; McCoy, 2010). Developing users CS will 955
change their cybersecurity behavior in positive ways (Boss et al., 2009; McCoy, 2010). In 956
fact, cybersecurity objectives cannot be met by technical and procedural protection only. 957
CS plays an important role in helping ensure effective users’ cybersecurity awareness 958
33
which can aid in discouraging CMI (Besnard & Arief, 2004; Rezgui & Marks, 2008). 959
Therefore, more research is needed to better assess the impacts of CS on CMI. 960
961
Cybersecurity Computing Skill 962
Cybersecurity computing skills (CCS) correspond to the technical knowledge 963
surrounding the hardware and software required to implement information security 964
(Lerouge et al., 2005). CCS can be defined as the ability to use protective applications 965
(e.g., antivirus software) to protect computers, computer networks, and information 966
systems (Levy, 2005). According to Lerouge et al. (2005), information system users need 967
appropriate CCS set to effectively utilize cybersecurity functions and innovations. 968
One of the main causes of information security failure is due to users’ limited 969
CCS (Ramim & Levy, 2006). Ramim and Levy (2006) stated that most of cybersecurity 970
attacks and abuse are done by employees from within the organization (e.g., computer 971
users), but most of the attention is given only to attacks and threats from outside. 972
Hacking, negative technologies (e.g., viruses), and theft are not the only threats to 973
information systems (Drevin et al., 2007). One of the biggest threats from users is human 974
error and misuse of computer assets (Drevin et al., 2007). Increasing users’ CCS can help 975
reduce human error and misuse of computer assets (D’Arcy et al., 2009; Drevin et al., 976
2007). It appears that CCS has a negative influence on users’ computer misuse intention 977
(Drevin et al., 2007; Ramim & Levy, 2006). Thus, additional research on CCS is needed 978
to better assess the impacts of CCS on CMI. 979
980
34
Cybersecurity Initiative Skill 981
Initiative is a psychological transition that helps transform individual work roles 982
and responsibilities into desired outcomes (Rank, Pace, & Frese, 2004). Initiative skill is 983
a capacity to direct attention and effort over time toward a challenging goal (Dworkin, 984
Larson, & Hansen, 2003). Cybersecurity initiative skills (CIS) can be defined as the 985
ability to seek out and take advantage of security software (e.g., antivirus programs) and 986
best security practices (Levy, 2005). Activities such as cybersecurity training are 987
experiences in which users develop CIS by learning about how to make plans, overcome 988
obstacles, and achieve desired goals (Dworkin et al., 2003). Personal initiative is the 989
combination of proactive, self-starting, persisting behaviors that workers perform to 990
achieve their desired goals (Dreu & Nauta, 2009). A study of 300 individuals suggested 991
that individuals who held high complexity roles and jobs showed more personal initiative 992
(Dreu & Nauta, 2009). 993
It is unlikely for users to take any initiative toward cybersecurity if they don’t 994
perceive it as useful (Davis, 1989). Albrechtsen (2007) claimed that a “user-involving 995
security awareness program approach is much more effective for influencing user 996
awareness behavior than general security awareness campaigns” (p. 283). According to 997
Cone, Irvine, Thompson, and Nguyen (2007), many organizations initiate a general 998
security campaign with hopes to educate and train users in cybersecurity. For example, 999
general security campaigns are sending emails or notes to the users or publishing in the 1000
organizations’ Intranet Website information about security. Unfortunately, general 1001
security campaigns are vastly ignored by most users (Cone et al., 2007). According to 1002
Cone et al. (2007), many forms of cybersecurity awareness initiatives fail because they 1003
35
are simple routines that do not require users to take initiatives and apply security 1004
concepts. Therefore, a carefully designed CCA program appears to be vital in an attempt 1005
to increase users’ CIS (Cone et al., 2007). 1006
Technology savvy users don’t automatically become cybersecurity savvy. In other 1007
words, users’ CIS does not automatically increase with their knowledge of technology 1008
(Cronan, Foltz, & Jones, 2006). According to Cronan et al.’s (2006) study of 516 1009
students, participants who were more familiar with computers committed significantly 1010
more computer abuse. Aytes and Connolly (2004) claimed that it is unlikely that users 1011
will significantly change their cybersecurity behavior by just being provided information 1012
regarding computing risk. User’s CIS on ethical conduct, trust, risk, and privacy may 1013
positively impact users’ CMI (Rezgui & Marks, 2008; Veiga & Eloff, 2007). 1014
1015
Cybersecurity Action Skill 1016
Cybersecurity action skill (CAS) was defined as the ability to commit to 1017
objectives to meet security compliance (Levy, 2005). An action involves a collection of 1018
commitments that are applied to objectives (Fischera, 1980; Levy, 2005). Therefore, 1019
action must always be adapted to commitments (Fischera, 1980). For example, every 1020
time a user recognizes a familiar computer application, the action is adapted to the 1021
specific application (Fischera, 1980). Every time an action is carried out, even on the 1022
same objectives, it is usually done slightly differently (Fischera, 1980). Thus, the users 1023
can control the relevant action variations on objectives (Fischera, 1980). Action produces 1024
results, makes applications work, and causes events to occur (Korukonda, 1992). Thus, 1025
users’ CAS is important for positive cybersecurity outcome (Korukonda, 1992). 1026
36
Action theory provides a three dimensional framework (Baum, Frese, & Baron, 1027
2007). The three dimensions of the framework are sequence, structure, and focus (Baum 1028
et al., 2007). Sequence reflects the path from goals to feedback, structure indicates the 1029
level of regulation of action or skill to a meta-cognitive heuristic, and focus ranges from 1030
task to self (Baum et al., 2007). Action theory leads to cognitive ability, which is 1031
fundamental for entrepreneurs and employees to be able to take appropriate action (Baum 1032
et al., 2007). 1033
According to Fishbein and Ajzen (1975) people’s behavior is determined by their 1034
behavioral intention to perform the action. The intention is determined by the person’s 1035
attitudes and subjective norms towards the behavior. The Theory of Reasoned Action 1036
(TRA) developed by Fishbein and Ajzen (1975) is a model that finds its roots in the field 1037
of social psychology. Fishbein and Ajzen’s (1975) TRA defined the links between 1038
attitudes, beliefs, norms, intentions, and behaviors of individuals; see Figure 2. 1039
1040
Figure 2. Theory of Reasoned Action (Fishbein & Ajzen, 1975) 1041
The key focus of the Theory of Reasoned Action (TRA) is on the causal 1042
relationship between attitudes and behavioral intention; attitude influences behavioral 1043
intention which affects a person’s behavior (S. Lee, Yoon, & Kim, 2008). According to 1044
Attitude toward
act or behavior
Behavioral
intention
Subjective norm
Behavior
37
Fishbein (1980), reasoned action predicts that behavioral intent or action is caused by two 1045
main factors: attitudes and subjective norms. Similar to information integration theory, 1046
attitudes have two components. Fishbein and Ajzen (1975) called these the evaluation 1047
and strength of a belief. The second component influencing behavioral intent, subjective 1048
norms, also has two components. These components are normative beliefs (what one 1049
thinks others would want or expect him/her to do) and motivation to comply (how 1050
important is for one to do what he/she thinks others expect from him/her). Vallacher and 1051
Wegner (1987) suggested that “behavior dynamics are primary, with representations of 1052
action arising after the fact, or at best, concurrently with the action” (p. 3). Users’ attitude 1053
toward action or behavior influences intention, and intention is the main motivator of 1054
behavior (Fishbein & Ajzen, 1975). Therefore, TRA could be said to be the foundation of 1055
CAS (Fishbein, 1980; S. Lee et al., 2008). It appears that users’ attitude can be changed 1056
toward cybersecurity when CAS is increased (Fishbein, 1980; Korukonda, 1992). In 1057
addition, CAS can help decrease users’ CMI (Fishbein, 1980; Korukonda, 1992; 1058
Vallacher & Wegner 1987). 1059
Many organizations use positive technologies to monitor users’ actions (e.g., 1060
browsing unsafe Internet sites) in the hopes of preventing them from wasting the 1061
company’s resources and downloading negative technologies (e.g., virus or worm) 1062
(Rezgui & Marks, 2008; Veiga & Eloff, 2007). It has been found that positive 1063
technologies don’t fully address all the cybersecurity risks since they can’t prevent users 1064
from engaging in risky activities (S. Lee et al., 2008; Rezgui & Marks, 2008; Veiga & 1065
Eloff, 2007). Numerous studies in psychology have been done on attitudes for predicting 1066
behavior and measuring the causal association between attitude and behavior (S. Lee et 1067
38
al., 2008). It appears that users’ attitude and perceived social pressure, which is the 1068
predictor to behavioral intention, contribute to their actions (e.g., comply with security 1069
policies & procedures) (S. Lee et al., 2008). The main goal of implementing security 1070
policies and procedures is to secure the organizations’ digital assets (Boss et al., 2009). 1071
Without an appropriate CCA program to educate the users’ CAS, security policies and 1072
procedures can be meaningless (Boss et al., 2009). Ross (2006) suggested that CAS tends 1073
to keep users thinking and anticipating what if scenarios, thus preparing them to perform 1074
more adequately in an emergency without even thinking. CAS plays an important role on 1075
users’ perception on CMI (Ross, 2006). Therefore, further research is needed to better 1076
assess the impacts of CAS on CMI. 1077
1078
Summary of What is Known and Unknown in Research Literature 1079
The ability to learn a skill can be observed to be closely related to computer self-1080
efficacy (Compeau & Higgins, 1995; McCoy, 2010). Skill is the ability to understand and 1081
make use of different intellectual abilities to achieve the most appropriate action for the 1082
best result (Levy, 2005; Torkzadeh & Lee, 2003). Thus, cybersecurity skill is the ability 1083
to understand and make use of different intellectual abilities such as using cybersecurity 1084
tools (e.g., data encryption) to protect the organization and personal sensitive computer 1085
data (Levy, 2005; Rezgui & Marks, 2008; Torkzadeh & Lee, 2003; Veiga & Eloff, 2007). 1086
Unfortunately, users are often resistant to security policies and bypass them, thus 1087
exposing their organizations to data loss and cybercrime (Boss et al., 2009). In addition 1088
managers and employees tend to think of cybersecurity as a second priority compared 1089
with their own efficiency or effectiveness matters, because the latter have a direct and 1090
39
material impact on the outcome of their work (Besnard & Arief, 2004). Cybersecurity 1091
countermeasures awareness tends to keep users thinking and anticipating what if 1092
scenarios, thus preparing them to apply the learned cybersecurity skills when required 1093
(Ross, 2006). Therefore, UAS-P, UAS-T, UAC-M, UAC-S, CCS, CIS, and CAS appear 1094
to play an important role on CMI (Besnard & Arief, 2004; D’Arcy et al., 2009; Rezgui & 1095
Marks, 2008). 1096
It appears that CCA is inclusive to UAS-P, UAS-T, UAC-M, and UAC-S. UAS-P 1097
pertains to security policies, which are similar to societal laws, because they provide 1098
information on what constitutes unacceptable conduct, which increases the user’s 1099
perceived threat of punishment for illegal behavior (D’Arcy et al., 2009; J. Lee & Lee 1100
2002). UAS-T pertains to security training programs, which reinforce acceptable 1101
computer usage guidelines and emphasize the potential consequences for computer 1102
misuse (D’Arcy et al., 2009). UAC-M pertains to computer monitoring, which is often 1103
used by organizations to gain compliance with rules and regulations (D’Arcy et al., 1104
2009). Computer monitoring directly influences user computer misuse intention (D’Arcy 1105
& Hovav, 2009). UAC-S pertains to computer sanctions, which is similar to prohibition 1106
of specific behaviors (e.g., computer misuse) (D’Arcy & Hovav, 2009). The impact of 1107
UAC-S on perceptions of punishment severity is important because perceived 1108
punishment severity is a strong deterrent to computer misuse (D’Arcy et al., 2009). 1109
It seems that CS is inclusive to CCS, CIS, and CAS. CCS is the technical skill 1110
pertaining to the hardware and software knowledge that is required to implement proper 1111
cybersecurity (Lerouge et al., 2005). Information system users require an appropriate set 1112
of skills to employ cybersecurity technology functions more efficiently (Lerouge et al., 1113
40
2005). CIS can be said to be the users’ capacity to direct attention and effort over time 1114
toward a challenging goal such as implanting encryption to protect their sensitive data 1115
(Dworkin et al., 2003). CAS could be said to be the users’ cybersecurity actions that 1116
produce positive cybersecurity results (Korukonda, 1992). Users that gain CCS, CIS, and 1117
CAS would be able to understand and implement cybersecurity technologies such as 1118
email encryption to secure their sensitive emails (Korukonda, 1992; Lerouge et al., 2005; 1119
Rank et al., 2004). Current literature appears to suggest that CSE, CCA, and CS can help 1120
reduce users’ CMI (Korukonda, 1992; Lerouge et al., 2005; Rank et al., 2004); however, 1121
little attention has been given in research to provide empirical evidences for such 1122
interactions, while such validation in government organization appears to be highly 1123
needed. 1124
1125
Contributions of this Study 1126
The main contribution of this study is to the improvement of current research in 1127
cybersecurity in the public sector by adding to the body of knowledge concerning 1128
government agencies’ user CSE, CCA, CS and their impact on CMI. The results of this 1129
study also provide information that could influence or support future strategies aimed at 1130
cybersecurity practitioners and IT managers justify funding for cybersecurity programs 1131
for end users’ cybersecurity awareness and skill development (Besnard & Arief, 2004; 1132
Blanke, 2008; D’Arcy et al., 2009; Dinev et al., 2008; Rezgui & Marks, 2008; Torkzadeh 1133
& Lee, 2003; Veiga & Eloff, 2007; White House, 2009). In addition, this study 1134
contributes to the research community by providing its findings for further research. 1135
41
Another contribution of this study is that it helps to better understand various 1136
cybersecurity incidents that are generally caused by users. This research contributes to a 1137
better understanding of the causes of cybersecurity incidents attributable to users’ CMI. 1138
Furthermore, this study contributes to more understanding of the necessary steps to help 1139
decrease users’ CMI. Thus, the results of this study are in full agreement and supporting 1140
other IS literature that indicating that additional research is necessary to identify factors 1141
that influence individuals to engage in computer misuse activities (Blanke, 2008; D’Arcy 1142
et al., 2009; Dinev et al., 2008; Rezgui & Marks, 2008; Veiga & Eloff, 2007; White 1143
House, 2009). 1144
42
1145
1146
1147
Chapter 3 1148
Methodology 1149
1150
Research Design 1151
The main goal of this research study was to empirically test a predictive model on 1152
the impact of computer self-efficacy (CSE), cybersecurity countermeasures awareness 1153
(CCA), and cybersecurity skills (CS) on computer misuse intention (CMI) at government 1154
agencies. This study has assessed the role of users’ CMI at a government agency. This 1155
field study used a Web-based survey instrument for data collection to test the 1156
relationships implied by Figure 1 and the research hypotheses put forth in Chapter 1. The 1157
survey was designed to capture respondents’ perceptions of CSE, CCA, CS, and CMI. In 1158
this study, the participants were the computer users in a federal agency (Sekaran, 2003). 1159
Research design, sample, survey instrument and measures, validity and reliability, expert 1160
panel, pre-analysis data screening, as well as data analysis are presented in this chapter. 1161
1162
Survey Instrument and Measures 1163
Researchers need to demonstrate that their developed instruments are measuring 1164
what they are designed to be measuring (Straub, 1989). According to Straub (1989), an 1165
“instrument valid in content is one that has drawn representative questions from a 1166
universal pool” (p. 150). Selecting the right survey wording that approximates the level 1167
of understanding of the participants is important (Sekaran, 2003). According to 1168
43
Pinsonneault and Kraemer (1993), it is highly acceptable in research to collect data using 1169
surveys when independent and dependent constructs are well defined. Literature suggests 1170
that measures using a 7-point Likert scale appear to be more accurate than the 5-point 1171
Likert scale (D’Arcy et al., 2009; Levy & Green, 2009). Therefore, this study 1172
implemented a 7-point Likert scale following the scale established in literature for each 1173
of the measured constructs. This study used two different types of 7-point Likert scale to 1174
address different constructs. CSE, UAS-P, UAS-T, and UAC-M constructs were 1175
measured using 7-point Likert scale (1 = Strongly disagree to 7 = Strongly agree) in 1176
accordance to the validated constructs from literature (D’Arcy et al., 2009; Levy & 1177
Green, 2009) while CCS, CIS, and CAS constructs were measured with the 7-point Likert 1178
scale (1 = No skill or ability, 2 = I am now learning this skill, 3 = I can do this skill with 1179
some help from a supervisor, 4 = I am a competent performer in this area, 5 = I am an 1180
outstanding performer in this area, 6 = I am an exceptional performer in this area, and 7 = 1181
I am a leading performer in this area) in agreement with the validated constructs from 1182
literature pertaining to skill (Levy, 2005). According to Sekaran (2003), to ensure the 1183
content validity of the scales, the items selected must represent the concept about which 1184
generalizations are to be made. To check the validity of the survey, an expert panel was 1185
formed to include both academicians and practitioners. The expert panel reviewed the 1186
survey and provided recommendation(s) on wordings and clarity of the instrument. 1187
The measure of the CSE construct in Appendix A was adapted from Levy and 1188
Green (2009) who studied the role of CSE in acceptance of the U.S. Navy’s combat 1189
information system. The measures of the UAS-P, UAS-T, and UAC-M constructs in 1190
Appendix A were adapted from D’Arcy et al. (2009) who studied the role of user 1191
44
awareness of security countermeasures and its impact on information systems misuse. 1192
Lastly, the measures of CCS, CIS, and CAS constructs in Appendix A are based on Levy 1193
(2005)’s study on management skills comparison between online and on-campus Master 1194
of Business Administration (MBA) programs and Torkzadeh and Lee (2003)’s study that 1195
measured perceived user computing skills. The literature that serves as the foundation on 1196
which the survey questions are adapted from is detailed in Table 1. 1197
Table 1. Survey question sources 1198
Construct No. of
Items
No. of
Items from
Original
Source
Original
Scale Used
Survey Question
Adapted From
Computer self-efficacy 3 3 7-point Likert
scale
Levy & Green, 2009
User awareness of
security policy
5 5 7-point Likert
scale
D’Arcy et al., 2009
User awareness of
security-training
programs
5 5 7-point Likert
scale
D’Arcy et al., 2009
User awareness of
computer monitoring
6 6 7-point Likert
scale
D’Arcy et al., 2009
Cybersecurity
computing skill
6 12 5-point Likert
scale
Torkzadeh & Lee,
2003
Cybersecurity initiative
skill
6 6 7-point Likert
scale
Levy, 2005
Cybersecurity action
skill
Computer misuse
intentions
6
8
6
8
7-point Likert
scale
7-pint Likert
Levy, 2005
Hovav & D’Arcy,
2012
1199
Validity and Reliability 1200
External validity threats, such as addressing the interaction of selection and 1201
treatment, could be reduced when selecting groups with different racial, social, 1202
geographical, age, gender, or personality (Creswell, 2005). In this study, participants 1203
were from a government agency but were similar to the general user population. In order 1204
45
to provide representation of the general community, this study referenced to the data 1205
collected from the federal employees as detailed in Table 2 (United States Census 1206
Bureau, 2012). 1207
Participants were well diversified (e.g., racial, social, geographical, age, gender, 1208
or personality) due to the nature of this government agency. The agency is located in the 1209
heart of a large metropolitan area in the northeastern U.S. and its employee’s origin is 1210
from several different countries. It is almost impossible to find a group of participants to 1211
represent every aspect of individualities (e.g., personality, diversity, or culture). This 1212
study attempted to ensure that the study participants were closely representative of the 1213
general agency population by sending the survey to every computer user in the agency 1214
(Creswell, 2005). 1215
Table 2. The summary of characteristics of federal employees (United States Census 1216
Bureau, 2012) 1217
1218
1219
Construct validity is the assessment of the translation of theories into actual 1220
measures or programs (Trochim, 2006). CSE construct is based on a well validated 1221
46
construct from Blanke (2008) that examined the contributions of CSE to the users’ CMI. 1222
Blanke (2008)’s study was used as the groundwork to validate the impact of CSE toward 1223
CCA. UAS-P, UAS-T, and UAC-M constructs are based on a well validated construct 1224
from D’Arcy et al. (2009) who studied the role of users’ awareness of security 1225
countermeasures and its impact on CMI. D’Arcy et al. (2009) provided the foundation to 1226
validate the influence of CAS on CS. CCS, CIS, and CAS constructs are based on the 1227
computing skill, initiative skill, and action skill that are validated constructs from 1228
Torkzadeh and Lee (2003)’s study that measured user computing skill, Levy (2005)’s 1229
study that measures skills in MBA programs, and Boyatzis and Kolb (1991)’s study on 1230
assessing individuality in learning skills. Their studies served as the groundwork to 1231
validate the impact of CS toward CMI. A social threat to construct validity exists, such as 1232
hypothesis guessing, evaluation apprehension, and experimenter expectation (Trochim, 1233
2006). Since the survey instrument has been developed from five different sources 1234
(Blanke, 2008; Boyatzis & Kolb, 1991; D’Arcy et al., 2009; Levy, 2005; Torkzadeh & 1235
Lee, 2003), it was submitted to an expert panel for a thorough review and evaluation. 1236
1237
Expert Panel 1238
The initial survey instrument was put through a review by an expert panel of 1239
cybersecurity professionals who evaluated the survey questions, the clarity of the 1240
questions, and the accuracy of the measurement instrument. The expert panel consisted of 1241
three prominent cybersecurity professors and five practitioners that intensely reviewed 1242
the survey instrument for validity. To ensure all scales were inputted in the same 1243
direction every survey question was reviewed prior to the data analysis (Levy, 2006). The 1244
47
expert panel members were asked to provide recommendations for modifications and 1245
essentially performed a thorough examination of the instrument’s validity. The expert 1246
panel members were asked to (a) indicate their perception as to whether or not the 1247
individual items served to measure the constructs being evaluated, (b) recommend any 1248
additional items they believed could enhance the survey instrument, and (c) provide 1249
general comments on content and structure of the current survey instrument. The 1250
feedback from the expert panel was used to adjust the instrument as needed. In 1251
accordance with the approach of Straub (1989), adjustments included the removal of 1252
unnecessary items and the modification of questions, language, or layout of the 1253
instrument. The expert panel’s feedback of the survey instrument was administered 1254
online over a couple of weeks using Google forms and surveys. Following the 1255
adjustments and testing, the finalized survey instrument that was used in this study was 1256
developed. 1257
1258
Sample and Data Collection 1259
In this study, participants were invited from the local and state transportation 1260
agency, the largest among the nation's bridge and tunnel toll authorities in terms of traffic 1261
volume. The local and state transportation agency serves more than a million people daily 1262
in a large metropolitan area in the northeastern U.S. As a constituent agency of the local 1263
and state transportation agency, its dual role is to operate bridges and tunnels while 1264
providing surplus toll revenues to help support public transit. 1265
This study targeted 500 participants with an anticipated response rate of 30%. 1266
According to Fowler (2009) the size of the sample has almost no impact on how well that 1267
48
sample is likely to describe the population. Fowler (2009) stated that “a sample of 150 1268
people will describe a population of 15,000 or 15 million with virtually the same degree 1269
of accuracy” (p. 44). Demographic information such as age, gender, job function, 1270
education level, length of working in the organization, as well as military status such as 1271
veteran were collected. The demographic information can be used to describe the sample 1272
characteristics in the research to test the representation of the data collection to the 1273
generalized study population (Sekaran 2003). 1274
1275
Pre-analysis Data Screening 1276
Pre-analysis data screening was performed before the data collection was 1277
analyzed in the Statistical Package for the Social Sciences® (SPSS). Pre-analysis data 1278
screening is important to ensure the accuracy of the collected data and to deal with the 1279
issues of response-set, missing data, and outliers (Levy, 2006). Accuracy of the collected 1280
data is critical since inaccurate data will result in invalid data analysis (Levy, 2006). 1281
Response-set is when a survey participant checks the same score for all the items. This 1282
can be addressed by eliminating the data from this participant from the final analysis 1283
(Blanke, 2008). Missing data can significantly impact the validity of the collected data 1284
(Blanke, 2008). To avoid missing data, the Web-based survey required all fields to be 1285
completed before submission. Lastly, Mahalanobis Distance was used to determine if any 1286
extreme cases, such as multivariate outliers existed and if the data should be included or 1287
eliminated from the data analysis (Blanke, 2008). According to Mertler and Vannetta 1288
(2001), an outlier can cause “a result to be insignificant when, without the outlier, it 1289
would have been significant” (p. 27). Thus, outlier cases were evaluated for removal prior 1290
49
to analyses. The survey was administered online over a few week period using Google 1291
forms. 1292
1293
Data Analysis 1294
Carefully selecting the right process of data analysis is important (Creswell, 1295
2005). This study used partial least square (PLS) to examine seven independent variables 1296
(CSE, UAS-P, UAS-T, UAC-M, CCS, CIS, & CAS) and their contributions on the 1297
dependent variable CMI. The PLS procedure has been gaining interest and use among IS 1298
researchers because of its ability to model latent constructs under conditions of non-1299
normality and small to medium sample sizes (Compeau & Higgins, 1995). PLS is 1300
commonly recommended for predictive research models where the emphasis is on theory 1301
development (Chin, 1998). PLS employs a component based approach for estimation and 1302
has less restriction on sample size (Chin, 1998). PLS is suitable for analyzing complex 1303
models with latent variables (Chin, 1998). PLS is typically recommended in situations in 1304
which the sample size is small (Haenlein & Kaplan, 2004). Also, PLS was used to 1305
examine the contributions of the six control variables (i.e., age, gender, job function, 1306
education level, length of working in the organization, & military status such as veteran) 1307
on the dependent variable, CMI. 1308
This study has evaluated the major hypothesis on CSE, UAS-P, UAS-T, UAC-M, 1309
UAS-S, CCS, CIS, CAS and CMI. Hypothesis 1, CSE of users will show significant 1310
positive influence on the cybersecurity countermeasures awareness dimensions (UAS-P, 1311
UAS-T, & UAC-M). Hypothesis 2 (a, b, c, d), Cybersecurity countermeasures awareness 1312
dimensions (UAS-P, UAS-T, & UAC-M) of users will show significant positive 1313
50
influence on the three cybersecurity skills (CCS, CIS, & CAS). Hypothesis 3, the three 1314
cybersecurity skills (CCS, CIS, & CAS) of users will show significant negative influence 1315
on Computer Misuse Intention (CMI). Finally, Hypothesis 4 (a, b, c, d, e, f, & g), the six 1316
control variables (i.e., age, gender, job function, education level, length of working in the 1317
organization, as well as military status such as veteran) will show no significant influence 1318
on CMI. PLS was used to test the convergent and discriminant validity of the scales. In a 1319
confirmatory factor analysis (CFA) by PLS, convergent validity will be demonstrated 1320
when a measurement is loaded highly, its coefficient is above 0.60 or loaded significantly 1321
on the main factor, its t values are within the 0.05 level of their assigned construct (Gefen 1322
& Straub, 2005). In order to assess the reliability of the measurement items, the 1323
composite construct reliability coefficient was computed. 1324
1325
Model Fit 1326
IBM SPSS® and SmartPLS® statistical packages were used to perform the model 1327
fit testing based on Partial Least Square (PLS). According to Haenlein and Kaplan 1328
(2004), PLS should be an appropriate technique for model fit examination. The four 1329
hypotheses were tested using a model-fit analysis. Wetzels, Odekerken-Schröder, and 1330
Van-Oppen (2009) suggested a global fit measure (GoF) for PLS path modeling as a 1331
geometric mean of the average communality and average R2. They also indicated three 1332
cut-off points for GoF which are GoF(small) = 0.1, GoF(medium) = 0.25, and GoF(large) 1333
= 0.36. As such, the GoF for the model was calculated by PLS in the means of the 1334
average communality and average R2. 1335
Summary 1336
51
This chapter provided an overview of the methodology that has been utilized to 1337
conduct this study. The population is described as working professionals at a government 1338
agency in the northeastern U.S. This chapter described the study that attempted to assess 1339
the role of user CSE, CCA, and CS as well as a set of six demographic variables toward 1340
CMI. A survey instrument was proposed based on validated prior measures. The study 1341
targeted 500 participants with an anticipated response rate of 30%. Data collection was 1342
outlined via the use of a Web-based survey instrument. The pre-analysis screening was 1343
performed before the data was collected (Levy, 2006). The collected data was analyzed in 1344
SPSS and PLS, while the GoF cut-of-points were proposed based on prior literature. 1345
1346
52
1347
1348
1349
Chapter 4 1350
Results 1351
1352
Overview 1353
This chapter details the data analysis and the results of this study. The chapter is 1354
organized in a similar way to chapter three and, as such, will include an analysis of the 1355
data collection process and the statistical methods used to analyze the data, and the 1356
overall results. First, the quantitative phase will be presented, which details the results of 1357
this study. This will be followed by the results of the pre-analysis data screening and then 1358
the results of the quantitative phase. The chapter will conclude with a summary of the 1359
results and the procedures used for the analysis. 1360
The main goal of this research study was to empirically test a predictive model 1361
measuring the impact of computer self-efficacy (CSE), cybersecurity countermeasures 1362
awareness (CCA), and cybersecurity skills (CS) on computer misuse intention (CMI) at 1363
government agencies, along with testing of a set of six control variables. The four 1364
specific research hypotheses addressed were: 1365
H1: Computer self-efficacy (CSE) of users will show significant positive 1366
influence on the cybersecurity countermeasures awareness dimensions (UAS-P, 1367
UAS-T, & UAC-M). 1368
H2a: User awareness of security policy (UAS-P) will show significant positive 1369
influence on the three cybersecurity skills (CCS, CIS, & CAS). 1370
53
H2b: User awareness of security-training programs (UAS-T) will show significant 1371
positive influence on the three cybersecurity skills (CCS, CIS, & CAS). 1372
H2c: User awareness of computer monitoring (UAC-M) will show significant 1373
positive influence on the three cybersecurity skills (CCS, CIS, & CAS). 1374
H3: The three cybersecurity skills (CCS, CIS, & CAS) of users will show 1375
significant negative influence on Computer Misuse Intention (CMI). 1376
H4a: Users’ age will show no significant influence on Computer Misuse Intention 1377
(CMI). 1378
H4b: Users’ gender will show no significant influence on Computer Misuse 1379
Intention (CMI). 1380
H4c: Users’ job function will show no significant influence on Computer Misuse 1381
Intention (CMI). 1382
H4d: Users’ education level will show no significant influence on Computer 1383
Misuse Intention (CMI). 1384
H4e: Users’ length of working in the organization will show no significant 1385
influence on Computer Misuse Intention (CMI). 1386
H4f: Users’ military veteran status (i.e. ‘yes’ or ‘no’) will show no significant 1387
influence on Computer Misuse Intention (CMI). 1388
1389
Pre-Analysis Data Screening 1390
There were 185 responses received from the survey respondents. Before the 1391
collected data could be analyzed, pre-analysis data screening had to be performed. Pre-1392
analysis data screening was performed to detect irregularities or problems with the 1393
54
collected data. According to Levy (2006), pre-analysis data screening is performed to 1394
ensure the accuracy of the data collected, to deal with the issue of response set, to deal 1395
with missing data, and to deal with extreme cases or outliers. For this study, data 1396
accuracy was not an issue as the Web-based survey instrument was designed to allow 1397
only a single valid answer for each question. Additionally, data collected did not require 1398
any manual input as it was submitted directly into an online spreadsheet that then, was 1399
downloaded directly for the analyses. The issue of missing data was also not an issue for 1400
this study as the Web-based survey instrument was designed to prevent final submission 1401
until all items were completed. To address the issue of response-sets, a visual inspection 1402
of all responses was performed to identify cases that had the same response to all of the 1403
questions. Response-set bias is a factor that produces a particular pattern of responses that 1404
may not correctly correspond to the true state of affairs (Mangione, 1995). Kerlinger and 1405
Lee (2000) recommended the analysis of data for potential response-sets, and that 1406
researchers consider the elimination of any such sets from the research prior to data 1407
analysis. No response-set cases were found in the collected data. 1408
One of the main reasons for pre-analysis data screening was to deal with extreme 1409
cases (e.g., outliers). Stevens (2007) stated that an outlier is a data point that is usually 1410
very different from the rest of the data. In order to address multivariate extreme case(s), 1411
Mahalanobis Distance analysis was performed. There was one case (case # 115) 1412
identified using Mahalanobis Distance as a significant multivariate outlier. Therefore, 1413
case number 115 has been reviewed and removed from the analysis. Table 3 details the 1414
cases with multivariate extreme values that resulted from the Mahalanobis Distance 1415
analysis. 1416
55
Table 3. Mahalanobis distance extreme values (N=184) 1417
1418
1419
Demographic Analysis 1420
After completion of the pre-analysis data screening, 184 responses remained for 1421
analysis of which 48 or 26.1% were completed by females and 136 or 73.9% were 1422
completed by males. Analysis of the respondents’ age indicated that 11 or 6% were 1423
20 to 29 years of age, 28 or 15.2 % of respondents were between the ages of 30 to 39, 70 1424
or 38% of respondents were between the ages of 40 to 49, 54 or 29.3% of respondents 1425
were between the ages of 50 to 59, and 21 or 11.4% of respondents were 60 and over. 27 1426
or 14.7% of respondents were administrator staff, 67 or 36.4% were managerial, 33 or 1427
17.9% were officers, 23 or 12.5% were people working in operations, three or 1.6% were 1428
security operators, 18 or 9.8% were IT people, 11 or 6% were professional staff, and the 1429
remaining two or 1.1% were others (e.g., College interns). Among the respondents, two 1430
or 1.1% were with the organization under one year, 24 or 13% were with the organization 1431
between 1- to 5-years, 35 or 19% were with the organization between 6- to 10 years, 52 1432
or 28.3% were with the organization between 11 to 15 years, 23 or 12.5% were with the 1433
organization between 16 to 20 years, 31 or 16.8% were with the organization between 21 1434
56
to 25 years, 4 or 2.2% were with the organization between 26 to 30 years, and 13 or 7.1% 1435
were with the organization for over 30 years. Approximately 50% (90 or 48%) had 1436
bachelor’s degree. Also, 35 or 19% were veterans. Details on the demographics of the 1437
population are presented in Table 4. 1438
Table 4. Descriptive statistics of population (N=184) 1439
Item Frequency Percentage (%)
Gender
Female 48.0 26.1
Male 136.0 73.9
Age
Under 20 0.0 0.0
20-29 11.0 6.0
30-39 28.0 15.2
40-49 70.0 38.0
50-59 54.0 29.3
60 and over 21.0 11.4
Job function
Administrative staff 27.0 14.7
Managerial 67.0 36.4
Officer 33.0 17.9
Operations 23.0 12.5
Security operator 3.0 1.6
Technical 18.0 9.8
Professional staff 11.0 6.0
Other: 2.0 1.1
Year(s) with current organization
Under 1 year 2.0 1.1
1-5 years 24.0 13.0
6-10 years 35.0 19.0
11-15 years 52.0 28.3
16-20 years 23.0 12.5
21-25 years 31.0 16.8
26-30 years 4.0 2.2
over 30 years 13.0 7.1
Education Level
High School Diploma 36.0 19.6
2-years college (AA degree) 22.0 12.0
4-years college/university (Bachelor’s degree) 90.0 48.9
57
Graduate (Master’s degree) 29.0 15.8
Doctorate degree 1.0 0.5
Other: 6.0 3.3
Veterans
Yes 35.0 19.0
No 149.0 81.0
1440
Validity and Reliability Analyses 1441
Model evaluation involves estimation of internal consistency, convergent 1442
discriminant validity tests to achieve construct validity, as well as reliability (Chin & 1443
Todd, 1995). Construct reliability is calculated by Cronbach’s Alpha and composite 1444
reliability (Fornell & Lacker, 1981). The Cronbach’s Alpha coefficients for all constructs 1445
in this study were greater than the threshold of 0.7 indicating very strong reliability for 1446
the constructs measured. The composite reliability implicitly assumes that each indicator 1447
has the same weight and it relies on actual factor loadings, which can be considered as 1448
the best measure for internal consistency (Fornell & Lacker, 1981). The composite 1449
reliability should be greater than 0.7 to reflect internal consistency. According to Table 5, 1450
all multi-item constructs measured have demonstrated very high composite reliability 1451
coefficients that are greater than 0.7, further validates the high reliability of all constructs 1452
measured. Convergence validity was assessed using average variance extracted (AVE). 1453
Fornell and Lacker (1981) suggested that greater than 0.5 is standard. All AVE were 1454
above 0.5 with exception of CMI being 0.434. AVE can be used to evaluate the 1455
discriminant validity. The value obtained from each construct should be greater than the 1456
variance divided between that construct and other variables in the model (Chin, 1998; 1457
Fornell & Lacker, 1981). Discriminant validity can be obtained by observing whether 1458
correlations between variables are less than the square of average variance extracted. 1459
58
Table 6 shows that the squared value of average variance extracted for each construct is 1460
larger than the correlations in the same column (Chin, 1998; Fornell & Lacker, 1981). 1461
1462
Table 5. Descriptive statistics of reliability (N=184) 1463
AVE Composite Reliability R Square Cronbach’s Alpha
CAS 0.628582 0.910061 0.048279 0.883481
CCS 0.775289 0.953893 0.172877 0.941955
CIS 0.760665 0.950145 0.014402 0.939950
CMI 0.434217 0.858796 0.296575 0.818835
CSE 0.670791 0.858880 0.767531
UAC-M 0.608034 0.899040 0.871109
UAS-P 0.587071 0.875146 0.824381
UAS-T 0.667373 0.909265 0.875880
1464
59
Tab
le 6
. L
aten
t an
d D
emogra
phic
Var
iable
s C
orr
elat
ion (
N=
184)
60
1465
T-value has been obtained by running bootstrapping in SmartPLS. Given the data 1466
obtained, some adjustments in the proposed model path testing had to be taken into 1467
consideration for the model testing to reflect a viable model, which is slightly different 1468
than the one originally proposed. However, majority of the model path proposed were 1469
included in the tested model. T-value is used to identify the significance level of each 1470
path in the model. Based on this study with 184 degrees of freedom (df), T-values greater 1471
than 1.960 are significant at a p-value less than 0.05, T-values greater than 2.576 are 1472
significant at a p-value less than 0.01, and T-values greater than 3.291 are significant at a 1473
p-value less than 0.001 (Gravetter & Wallnau, 2009). Table 7 shows the coefficient and 1474
T-value of each set of constructs path. A correlation coefficient is a number between -1 1475
and 1, which measures the degree to which two variables are linearly related. If there is a 1476
perfect linear relationship with positive slope between the two variables, then it is a 1477
correlation coefficient of 1; if there is positive correlation, whenever one variable has a 1478
high (low) value, so does the other. If there is a perfect linear relationship with negative 1479
slope between the two variables, then it is a correlation coefficient of -1; if there is 1480
negative correlation, whenever one variable has a high (low) value; the other has a low 1481
(high) value. A correlation coefficient of 1 means that the two numbers are perfectly 1482
correlated while a correlation coefficient of -1 means that the numbers are perfectly 1483
inversely correlated. A correlation coefficient of zero means that there is no linear 1484
relationship between the variables (Chin & Todd, 1995; Fornell & Larcker, 1981). 1485
Table 7. Path coefficients significance (N=184) 1486
Path Coefficients T Statistics Significant
CAS -> CMI -0.152762 1.118844 p = 0.265 Not supported
61
CCS -> CMI 0.243329 1.952593 p = 0.052 Limited support
CIS -> CMI -0.230363 1.973962* p = 0.0499 Yes (p < 0.05)
CSE -> CCS 0.391288 7.361295** Yes (p < 0.001)
CSE -> CMI -0.019187 0.212218 p = 0.832 Not supported
UAC-M -> CCS -0.178643 1.991473* p = 0.048 Yes (p < 0.05)
UAC-M -> CMI -0.190342 2.220108* p = 0.028 Yes (p < 0.05)
UAS-P -> CAS 0.219725 2.508762* p = 0.013 Yes (p < 0.05)
UAS-P -> CCS 0.129809 1.625293 p = 0.106 Not supported
UAS-P -> CIS 0.120009 1.663104 p = 0.098 Not supported
UAS-P -> CMI -0.104848 0.808814 p = 0.420 Not supported
UAS-T -> CMI -0.166317 1.621924 p = 0.107 Not supported
Age -> CMI -0.186975 1.719205
p = 0.087 Limited support
H4a – rejected
“age” has limited
statistically significant
negative impact on CMI
Gender -> CMI -0.022814 0.262552
p = 0.793 Not rejected. As
hypothesized “gender” has
statistically no significant
negative impact on CMI
Job Function -> CMI 0.041865 0.491383
p = 0.624 Not rejected. As
hypothesized “Job
Function” has statistically
no significant negative
impact on CMI
Education -> CMI -0.071088 0.926183
p = 0.356 Not rejected. As
hypothesized “Education”
has statistically no
significant negative
impact on CMI
Work Length -> CMI 0.070697 0.723555
p = 0.470 Not rejected. As
hypothesized “Work
Length” has statistically
no significant negative
impact on CMI
Veteran -> CMI -0.094907 1.274678
p = 0.204 Not rejected. As
hypothesized “Veteran”
has statistically no
significant negative
62
impact on CMI
*p<.05 (two-tailed tests). 1487
**p<.001 (two-tailed tests). 1488
1489
PLS was used to address the four hypotheses. Results of the standardized PLS 1490
path coefficients model for this study is presented in Figure 3. The numbers noted on the 1491
arrows in the model represent the rounded path coefficient to the nearest hundredths 1492
value, where results indicated that five out of the construct 12 path coefficients (not 1493
including the demographic indicators) (CIS CMI, CSE CSS, UAC-M CCS, 1494
UAC-M CMI, & UAS-P CAS) were significant at least at the p value of .05 level 1495
or greater (p<.001). The rest of the model paths (CSS CMI, CAS CMI, CSE 1496
CMI, UAS-P CCS, UAS-P CIS, UAS-P CMI, UAS-T CMI, Age CMI, 1497
Gender CMI, Job Function CMI, Education CMI, Work Length CMI, & 1498
Veteran Status CMI) that were tested indicated path coefficients with non-significant 1499
p-values. Results of the R-squared (R2) values are indicated below the given constructs 1500
where R2 is applicable. R-squared (R
2) on CMI is 0.296 or nearly 0.30, an indicated 1501
acceptable model fit. 1502
63
1503
Figure 3. Results of the PLS analysis (N=184) 1504
The results of the PLS model showed that UAC-M and CIS were significant 1505
contributors (p <.05) to CMI. UAC-M was also found to be a significant contributor (p 1506
<.05) to CCS. UAS-P was found to be a significant contributor (p <.05) to CAS. CSE 1507
made a significant contribution (p < .001) to CCS while it did not show significant 1508
contribution to CMI. 1509
While this study found that CSE had no influence on CMI, which appears to be 1510
in support by prior research by D’Arcy and Hovav (2009) who found that CSE had also 1511
no effect on misuse intention. However, it might be that the relationship between CSE 1512
and CMI is just not linear. That is, those users with very low CSE are likely to engage in 1513
misuse unintentionally or out of ignorance, while users with very high CSE are likely to 1514
engage in misuse because they believe they can circumvent the system successfully and 1515
64
get away with it. As such additional research should be done on assessing such potential 1516
hyperbolic relations between the two constructs of CSE and CMI. 1517
The mean scores of the CMI and CSE were obtained for the 184 records (see 1518
Figure 4). The findings show that by-in-large, only seven cases out of the total of 184 1519
cases were CMI high, meaning that the majority (nearly 97%) of the respondents where 1520
ethical as their CMI was low. The most important finding is that majority (nearly 93%) of 1521
the participants had a high CSE while at the same time had a low CMI. This makes 1522
evident that there is a strong association between high CSE and low CMI. This suggests 1523
that, by-in-large, users with higher CSE have lower CMI, while such relationship may not 1524
be linear in nature and therefore, the low coefficient and T-value (i.e. high p-value) 1525
observed in this study. Phelps (2005) found that users with higher CSE were more 1526
effective at implementing system security. Crossler and Belanger (2006) stated that a 1527
user’s level of CSE directly impacted his or her use of security tools. The plotting of the 1528
taxonomy of the mean scores of CMI and CSE as a 2x2 matrix summary is presented in 1529
Table 8. This study considered CSE and CMI < 4 to be note as "Low" and 4 > to be 1530
"High". 1531
Table 8. CMI mean and CSE mean (N=184) 1532
Item Cases
CSE (low) and CMI (low) 7
CSE (high) and CMI (low) 170
CSE (low) and CMI (high) 0
CSE (high) and CMI (high) 7
65
1533 Figure 4. Graph of CMI mean and CSE mean (N=184) 1534
Similar to the CSE to CMI path that suggested the case of the few high-CSE and 1535
high-CMI computer savvy users (e.g., users with high CCS), they feel that they can 1536
overcome the computer monitoring capabilities of their organizations and that they are 1537
less likely to be caught when engaging in computer misuse. Perhaps users with high CCS 1538
(e.g., hackers) might be more likely to engage in misuse because they believe they can 1539
circumvent the system successfully and get away with it. Therefore, someone with higher 1540
CCS could also appear to have higher CMI. 1541
Summary 1542
Chapter 4 reported on the results of all data analysis performed in order to answer 1543
the four hypotheses set in this study. In this chapter, the results of the contribution of 1544
CSE, CCA, and CS to CMI, as measured by the weight of their contribution to the 1545
prediction of CMI, are presented. Prior to the statistical analyses, pre-analysis data 1546
screening was performed to ensure the accuracy of the data collected. Following this 1547
High
Low
Low High
66
screening, Cronbach’s Alpha reliability tests were conducted for each construct to 1548
determine how well the items for each scale were internally consistent with one another. 1549
The results demonstrated high reliability for all constructs measured. In order to 1550
determine the representativeness of the sample, demographic data were requested from 1551
the survey participants. The distribution of the data collected appeared to be 1552
representative of the population of government employees. 1553
PLS was used to address the four hypotheses and test the model fit. Given the 1554
type of data collected and the amount of constructs measured, modifications were needed 1555
from the original model proposed in order to test the path coefficients among the 1556
constructs measured. The results of the PLS model showed that UAC-M and CIS were 1557
significant contributors (p <.05) to CMI. UAC-M was also found as a significant 1558
contributor (p <.05) to CCS. UAS-P was found as a significant contributor (p <.05) to 1559
CAS. CSE demonstrated the most significant contribution (p < .001) to CCS while it 1560
didn’t show significant contribution to CMI. 1561
67
1562
1563
1564
Chapter 5 1565
Conclusions, Implications, Recommendations, and Summary 1566
1567
Conclusions 1568
This chapter begins with conclusions drawn from the results of this study. The 1569
main goal and hypotheses investigated are detailed next, and the implications of the study 1570
are discussed. Moreover, contributions of this study to the body of knowledge are 1571
presented followed by the limitations of this study. The chapter ends with 1572
recommendations for future research and a summary of this study. 1573
The main goal of this research study was to empirically test a predictive model on 1574
the impact of computer self-efficacy (CSE), cybersecurity countermeasures awareness 1575
(CCA), and cybersecurity skills (CS) on computer misuse intention (CMI) at government 1576
agencies along with a set of six demographic indicators. The population of this study was 1577
working professionals from a government agency located in northeastern U.S. The 1578
original projected response rate was seeking 30% out of 500 potential participants, while 1579
the actual survey response rate obtained was nearly 37%, 184 usable records. 1580
The first specific goal of this study was to empirically assess CSE and its 1581
contribution to CCA (UAS-P, UAS-T, & UAS-M) dimensions. The results of the PLS 1582
model indicated that CSE did not make any significant contribution to CCA. While not 1583
originally hypothesized, CSE demonstrated a significant contribution (p < .001) to CCS. 1584
68
The second goal of this study was to empirically assess CCA (UAS-P, UAS-T, & 1585
UAS-M) dimensions and its contribution to CS (CCS, CIS, & CAS). Based on the PLS 1586
model, UAS-P demonstrated a significant contribution (p <.05) to CAS. UAC-M was 1587
found to be a significant contributor (p <.05) to CCS. Interestingly, UAS-T did not make 1588
any significant contribution to any of the CS dimensions. 1589
The third goal of this study was to empirically assess CS (CCS, CIS, & CAS) and 1590
its contribution to CMI. The PLS model revealed that UAC-M and CIS were found to be 1591
significant contributors (p <.05) to CMI. CCS was found to demonstrate limited 1592
significant contribution (p = 0.052) to CMI. 1593
The fourth goal of this study was to empirically assess to empirically assess age, 1594
gender, job function (i.e., job title), education level, length of working in the 1595
organization, and military status (e.g., veteran) and their contributions to CMI. The PLS 1596
model showed that most of the demographic latent variables didn’t show any significance 1597
except for age, which showed limited significant difference (p = 0.087) to CMI. 1598
The last goal was to empirically assess the fit of the model by using CSE, CCA 1599
(i.e., UAS-P, UAS-T, & UAC-M), CS (i.e., CCS, CIS, & CAS), CMI, and control 1600
variables. The PLS model presented the results of the study (see Figure 3). The results 1601
indicated that UAC-M and CIS made significant contributions (p <.05) to CMI. UAC-M 1602
showed significant contribution (p <.05) to CCS. UAS-P indicated significant 1603
contribution (p <.05) to CAS. Lastly, CSE demonstrated a significant contribution (p < 1604
.001) to CCS while it did not show significant contribution to CMI. 1605
The purpose of our study was to assess the role of user computer self-efficacy, 1606
cybersecurity countermeasures awareness, and cybersecurity skills toward computer 1607
69
misuse intention at government agencies. The results showed that UAS-P demonstrated a 1608
significant contribution to CAS and UAC-M demonstrated a significant contributor to 1609
CCS. This finding is consistent with the recommendations of IS security advocates who 1610
contend that security countermeasures awareness are important when it comes to 1611
cybersecurity skills. One area that did not demonstrate significant contribution from CCA 1612
was CIS. This suggests that, in the context of the data collected in this study, CCA 1613
increases users’ CCS and CAS while it doesn’t have a significant contribution on users’ 1614
CIS. However, additional research maybe needed to further investigate these findings. 1615
CSE showed significant contribution to CCS while it did not show significant 1616
contribution to CMI. The results suggest that while the CSE to CCS path is in accordance 1617
with the recommendations of IS security advocates who contend that computer self-1618
efficacy by employees are valid to enhance as they also significantly measure their 1619
security countermeasures awareness. The non-significant result found in this study of 1620
CSE to CMI path suggests that in the case of the few high-CSE and high-CMI computer 1621
savvy users, they feel that they can overcome the computer monitoring capabilities of 1622
their organizations and that they are less likely to be caught when engaging in computer 1623
misuse. Computer savvy users may also know that security personnel cannot actively 1624
monitor all computing activities, even though such activities might get automatically 1625
logged and recorded by monitoring technologies. While these issues appear to be valid 1626
for the high-CSE and high-CMI computer users, the results indicated that 96% of the 1627
participants demonstrated, by-in-large, to be ethical with varied CSE, but a low CMI. 1628
UAC-M and CIS were significant contributors to CMI. This is consistent with the 1629
recommendations of IS security advocates and researchers. CCS showed limited 1630
70
significant contribution (p = 0.052) to CMI. Contrary to expectations, UAS-T did not 1631
make any significant contribution to any of the CS dimensions or CMI. This finding was 1632
surprising since literature suggested that UAS-T should have a significant contribution to 1633
CS dimensions. One possible explanation for these results could be the relatively high 1634
age of the survey participants. In this study, majority of the participants were in the 40 1635
years old and older age group, representing 78.7% of the participants. In addition, age 1636
was the only control variable that demonstrated limited significant contribution (p = 1637
0.087) to CMI. As such, the impact of UAS-T on CS and CMI should be further 1638
investigated with different professional computer users to investigate if such results are 1639
specific for the data collected in this study or indeed due to the age issue. 1640
1641
Study Implications 1642
This research study has a number of implications for the existing body of 1643
knowledge in the areas of IS and cybersecurity within government agencies. A prediction 1644
model was developed with CSE, CCA, and CS in an attempt to validate a model to 1645
predict employees’ CMI in a government agency. These independent variables were 1646
selected for the model based on the literature search that was conducted. There are two 1647
key contributions that this study makes to IS and cybersecurity research. The first one is 1648
to develop and empirically validate a model for predicting government employees’ CMI. 1649
While significant number of information security studies have been conducted using 1650
college students as participants, the second key contribution of this study is the 1651
investigation of the most significant constructs that contribute to professional employees’ 1652
(non-students) CMI in government agency environment. 1653
71
This investigation also contributes to the IS and cybersecurity practice in that it 1654
provides valuable information that can be used in government agencies in an effort to 1655
significantly reduce computer user’s misuse and, therefore, increase productivity and 1656
effectiveness. With computer abuse being reported in more than half of the business 1657
environments surveyed by the Computer Security Institute (CSI), computer user’s misuse 1658
is problematic and continues to significantly increase. With this investigation and the 1659
existing body of knowledge, government agencies may be better positioned to understand 1660
and reduce computer users’ misuse, starting with reducing their CMI. 1661
1662
Study Limitations 1663
Like any other empirical research, this study also had several limitations. Three 1664
limitations were identified for this study. First, the study was comprised of working 1665
professionals at a single local government agency located in the northeastern U.S. Non-1666
government organizations and government agencies of other states or countries were not 1667
covered in this study. Second, the survey for this study was completed within a four-week 1668
timeframe. Leonard and Cronan (2005) stated that a longitudinal study is needed as CSE, 1669
CCA, and CS influence may shift over time. Organizations must periodically reassess 1670
their employee’s CSE, CCA, and CS and adjust the constructs that influence CMI 1671
(Leonard & Cronan, 2005). Third, self-reported CMI were measured instead of actual 1672
behaviors. Prior research indicates there is a reluctance of survey participants to report 1673
computer misuse (Foltz, 2004; Parker, 1998; Straub, 1990). While there is a significant 1674
body of research in IS (Ajzen, 1975; Davis, Bagozzi, & Warshaw, 1989) supporting 1675
intention as a predictor of actual behavior, actual behavior could be tracked by system 1676
72
monitoring tools instead of self- reported CMI. While actual misuse behaviors are 1677
difficult to measure, it is still measure that needs to be done by future work. 1678
User awareness of computer sanctions (UAC-S) was initially included in this 1679
study, but it was removed due to some survey issues. The agency was concerned about 1680
the questions asked in UAC-S that might not comply with the agency’s strict union rules. 1681
Another issue was that the expert panel reviewing the survey were concerned that the 1682
overall instrument was too long. The survey had 51 questions not including the UAC-S’ 1683
six questions. Therefore, it was decided to rely on D’Arcy et al. (2009), Hovav and 1684
D’Arcy (2012), as well as Pahnila et al. (2007) research on the role of UAC-S in CMI. 1685
They found that perceived severity of sanctions was associated with reduced CMI, but 1686
perceived certainty of sanctions was not a significant predictor of CMI. In addition, they 1687
also stated that UAC-S may be significantly different across national cultures (e.g., U.S. 1688
vs. Korea). Additional work may investigate the role of UAC-S, if possible, in CMI. 1689
The R-squared (R2) of the latent variables on CMI was found to be 0.296 or 1690
nearly 30%. Wetzels et al., (2009) suggested a global fit measure (GoF) for PLS path 1691
modeling as a geometric mean of the average communality and average R2. They 1692
indicated three cut-off points for GoF which are GoF(small) = 0.1, GoF(medium) = 0.25, 1693
and GoF(large) = 0.36. This study’s R-squared (R2) fits within the GoF(medium) = 0.25 1694
and GoF(large) = 0.36, while a higher R2 might have been able to demonstrate more 1695
significant results, thus, additional work is needed to re-validate the model proposed on 1696
another group of participants and in other more diverse organizations. 1697
1698
Recommendations for Future Research 1699
73
Many areas of future research were identified as a result of this work. This study 1700
investigated working professionals at a single local government agency. This study could 1701
be replicated at another government agency in another part of the country or level (e.g., 1702
federal, state, or local government agency). In addition, this study can be also replicated 1703
in a private sector business environment as compared to a government agency. Future 1704
research could also be completed by incorporating and measuring user awareness of 1705
computer sanctions (UAC-S) and its role in reducing users’ CMI in organizations. 1706
Research of system monitoring tools could also be completed to determine the percentage 1707
of computer use in government agencies that is non-work related (i.e. cyber-slacking) and 1708
test for various security countermeasures that could reduce the nonproductive work in the 1709
agency. Finally, as noted in the results section, future research is recommended to assess 1710
the potential hyperbolic relations between CSE and CMI constructs to better understand 1711
their non-linear relationship. 1712
1713
Summary 1714
This dissertation investigation addressed the problem of computer misuse 1715
intention (CMI) by employees in a government agency, which contributes to 1716
cybersecurity vulnerabilities. While computer technology is generally intended to 1717
increase employee productivity and effectiveness, that same computer technology may be 1718
used in negative ways that reduce productivity and increase cybersecurity vulnerabilities. 1719
Computer users play a large role in information security (Veiga & Eloff, 2007). Users are 1720
one of the weakest links in the information systems security chain because many users 1721
appear to have limited or no cybersecurity awareness and skills (Albrechtsen, 2007; 1722
74
Clifford, 2008). Many users are complacent with potential computer security risks when 1723
protective technologies (e.g., antivirus software) are not used or installed in their 1724
computer. They are willing to accept the security risks rather than addressing them due to 1725
the nuisances caused by security measures and cost (Dinev et al., 2008). Most users are 1726
not aware of the importance of protecting computer information systems, and this lack of 1727
awareness is reflected in their negligence in cybersecurity practices (Thomson & Solms, 1728
2005). D’Arcy and Hovav (2009) as well as Straub (1986) have suggested that additional 1729
research investigating the factors that influence CMI is needed. After completing a 1730
comprehensive literature review, three constructs were identified as possible factors that 1731
may contribute to employee CMI. 1732
The first construct identified in the literature as a possible contributor to CMI was 1733
computer self-efficacy (CSE). Bandura (1977), Compeau and Higgins (1995), Fischera 1734
(1980), Levy and Green (2009), Marakas et al. (1998), McCoy (2010), and Piccoli et al. 1735
(2001) suggested that CSE is a construct that contributes to CMI. Therefore, the 1736
contribution of CSE to employee CMI in government agency was investigated. 1737
The second construct identified in the literature as a possible contributor to CMI 1738
was cybersecurity countermeasures awareness (CCA). Additional research was suggested 1739
by Boss et al. (2009), D’Arcy et al. (2009), Lee and Lee (2002), Straub (1990), Straub 1740
and Welke (1998), Torkzadeh and Lee (2003), Wybo and Straub (1989), as well as 1741
Urbaczewski and Jessup (2002) to the contribution of UAS-P in reducing employee CMI. 1742
Thus, the contribution of CCA to employee CMI in government agency was also 1743
investigated. 1744
75
The third construct identified in the literature as a possible contributor to CMI 1745
was cybersecurity skills (CS). Albrechtsen (2007), Aytes and Connolly (2004), Cone et 1746
al. (2007), Cronan et al. (2006), Drevin et al. (2007), as well as Ramim and Levy (2006) 1747
suggested that CS is a factor that contributes to CMI. Hence, the contribution of CS to 1748
employee CMI in government agency was investigated. 1749
A predictive model was designed to assess employees’ CMI in government 1750
agencies based on the contribution of CSE, CCA, and CS, as measured by their 1751
contribution to CMI. The four specific hypotheses addressed were: 1752
H1: Computer self-efficacy (CSE) of users will show significant positive 1753
influence on the cybersecurity countermeasures awareness dimensions (UAS-P, 1754
UAS-T, & UAC-M). 1755
H2a: User awareness of security policy (UAS-P) will show significant positive 1756
influence on the three cybersecurity skills (CCS, CIS, & CAS). 1757
H2b: User awareness of security-training programs (UAS-T) will show significant 1758
positive influence on the three cybersecurity skills (CCS, CIS, & CAS). 1759
H2c: User awareness of computer monitoring (UAC-M) will show significant 1760
positive influence on the three cybersecurity skills (CCS, CIS, & CAS). 1761
H3: The three cybersecurity skills (CCS, CIS, & CAS) of users will show 1762
significant negative influence on Computer Misuse Intention (CMI). 1763
H4a: Users’ age will show no significant influence on Computer Misuse Intention 1764
(CMI). 1765
H4b: Users’ gender will show no significant influence on Computer Misuse 1766
Intention (CMI). 1767
76
H4c: Users’ job function will show no significant influence on Computer Misuse 1768
Intention (CMI). 1769
H4d: Users’ education level will show no significant influence on Computer 1770
Misuse Intention (CMI). 1771
H4e: Users’ length of working in the organization will show no significant 1772
influence on Computer Misuse Intention (CMI). 1773
H4f: Users’ military veteran status (i.e. ‘yes’ or ‘no’) will show no significant 1774
influence on Computer Misuse Intention (CMI). 1775
To address the specific hypotheses above, a survey instrument was developed by 1776
using previously validated survey items from the following research pool: D’Arcy et al. 1777
(2009), Levy and Green (2009), Levy, (2005), Hovav and D’Arcy (2012), as well as 1778
Torkzadeh and Lee (2003). CSE was measured using a validated three-item instrument 1779
developed by Levy and Green (2009). UAS-T and UAS-P were measured by utilizing the 1780
five validated survey items developed by D’Arcy et al. (2009). UAC-M was measured by 1781
using the six validated survey items developed by D’Arcy et al. (2009). CCS was 1782
measured by utilizing the six validated survey items developed by Torkzadeh and Lee 1783
(2003). CIS and CAS were measured by using the six validated survey items developed 1784
Levy (2005). CMI was measured using a validated eight-item instrument developed by 1785
Hovav and D’Arcy (2012). The demographics were measured by using validated survey 1786
items recommended by the expert panel. 1787
A conceptual research model was proposed (see Figure 1). Partial Least Square 1788
(PLS) was utilized to test predictive power. It was predicted that CSE, CCA, and CS 1789
would have a significant (p<.05) impact on user’s CMI. The results demonstrated that 1790
77
UAC-M and CIS were significant contributor (p<.05) to CMI. CSE demonstrated a 1791
significant contribution (p < .001) to CCS while it did not show significant contribution 1792
to CMI. 1793
Following the analyses, the results and conclusions were discussed. This study’s 1794
implication and limitations were identified and discussed. Recommendations for future 1795
research were outlined to build on this research and add to the existing body of 1796
knowledge. 1797
78
1798
1799
1800
APPENDIX A 1801
1802
Survey Instrument 1803
1804
Please respond to each of the following statements. 1805
1806
1807 1808
1809
79
1810 1811
1812 1813
80
1814 1815
1816 1817
1818
81
1819 1820
1821
82
1822 1823
1824
83
1825
84
1826
1827 1828
1829
85
1830 1831
1832 1833
86
1834
1835
1836
APPENDIX B 1837
1838 Approval Letter to Collect Data from the Agency 1839
1840 1841
87
1842
1843
1844
APPENDIX C 1845
1846 IRB Approval Letter 1847
1848
1849
88
1850
1851
1852
References 1853
1854 2010/2011 Computer crime and security survey. (2011, June 6). InformationWeek. 1855
Retrieved September 13, 2011, from 1856
http://analytics.informationweek.com/abstract/21/7377/Security/research-2010-1857
2011-csi-survey.html 1858
1859
Aakash, T. (2006). Determinants of adverse usage of information systems assets: A study 1860
of antecedents of IS exploit in organizations. Dissertation Abstracts International, 1861
67(6). (UMI No. 3221195). 1862
1863
Ajzen, I. (1989). Attitude, structure, and behavior. Hillsdale, NJ: Lawrence Erlbaum 1864
Associates. 1865
1866
Albrechtsen, E. (2007). A qualitative study of users’ view on information security. 1867
Computers & Security, 26, 276-289. 1868
1869
Alm, J., & McKee, M. (2006). Audit certainty, audit productivity, and taxpayer 1870
compliance. National Tax Journal, 59(4), 801–816. 1871
1872
Alvarez, R. (2002). Confessions of an information worker: A critical analysis of 1873
information requirements discourse. Information and Organization, 12(2), 85– 1874
107. 1875
1876
Axelrod, W. (2006). Cybersecurity and the critical infrastructure: Looking beyond the 1877
perimeter. Information Systems Control Journal, 6. Retrieved February 22, 2010, 1878
from http://www.isaca.org/Journal/Past-Issues/2006/Volume-1879
3/Documents/jpdf0603-Cybersecurity-Critical.pdf 1880
1881
Aytes, K., & Connolly, T. (2004). Computer security and risky computing practices: A 1882
rational choice perspective. Journal of Organizational and End User Computing, 1883
16(3), 22-40. 1884
1885
Bandura, A. (1977). Self-efficacy: Toward a unifying theory of behavioral change. 1886
Psychological Review, 84(2), 191-215. 1887
1888
Bandura, A. (1984). Recycling misconceptions of perceived self-efficacy. Cognitive 1889
Therapy and Research, 8(3), 231-255. 1890
1891
Bandura, A. (1986). Social foundations of thought and action. Englewood Cliffs, NJ: 1892
Prentice Hall. 1893
1894
Baum, J., Frese, M., & Baron, R. (2007). The psychology of entrepreneurship. The 1895
89
organizational frontiers. Mahwah, NJ: Lawrence Erlbaum Associates. 1896
1897
Benitez-Amado, J., Perez-Arostegui, M., & Tamayo-Torres, J. (2010). Information 1898
technology-enabled innovativeness and green capabilities. The Journal of 1899
Computer Information Systems, 51(2), 87-96. 1900
1901
Besnard, D., & Arief, B. (2004). Computer security impaired by legitimate users. 1902
Computers & Security, 23(2004), 253-264. 1903
1904
Blanke, S. (2008). A study of the contributions of attitude, computer security policy 1905
awareness, and computer self-efficacy to the employees’ computer abuse 1906
intention in business environments. Dissertation Abstracts International, 69(11). 1907
(UMI No. 3336919). 1908
1909
Boss, S., Kirsch, L., Angermeier, I., Shingler, R., & Boss, W. (2009). If someone is 1910
watching, I’ll do what I’m asked: Mandatoriness, control, and information 1911
security. European Journal of Information System, 18(2009), 151-164. 1912
1913
Boyatzis, R. E., & Kolb, D. A. (1991). Assessing individuality in learning: The learning 1914
skills profile. Educational Psychology, 11(3), 279-295. 1915
1916
Caputo, D. (2010). Gender differences in assessing essential business information 1917
systems technology skills. International Journal of Management and Information 1918
Systems, 14(2), 31-38. 1919
1920
Chan, M., Woon, I., & Kankanhalli, A. (2005). Perceptions of information security in the 1921
workplace: Linking information security climate to compliant behavior. Journal 1922
of Information Privacy & Security, 1(3), 18-41. 1923
1924
Chau, P.Y. (2001). Influence of computer attitude and self-efficacy on IT usage behavior. 1925
Journal of End User Computing, 13(1), 26-33. 1926
1927
Chin, W. W. (1998). Issues and opinion on structural equation modeling. MIS Quarterly, 1928
22(1), 7-16. 1929
1930
Chin, W.W., & Todd, P. (1995). One the use, usefulness, and ease of use of structural 1931
equation 1932
modeling in MIS research: A note of caution, MIS Quarterly, 19 (2), 237–246. 1933
1934
Clarke, R., & Knake, R. (2010). Cyber war: The next threat to national security and what 1935
to do about it. New York, NY: HarperCollins Publishers. 1936
1937
Clifford, M. (2008). Approaches to user education. Network Security, 2008(9), 15-17. 1938
1939
Compeau, D., & Higgins, C. (1995). Computer self-efficacy: Development of a measure 1940
and initial test. MIS Quarterly, 19(2), 189-211. 1941
90
1942
Compeau, D., Higgins, C., & Huff, S. (1999). Social cognitive theory and individual 1943
reactions to computing technology: A longitudinal study. Management 1944
Information System Quarterly, 23(2), 145-158. 1945
1946
Cone, B., Irvine, C., Thompson, M., & Nguyen, T. (2007). A video game for cyber 1947
security training and awareness. Computers & security, 26(1), 63-72. 1948
1949
Creswell, J. (2005). Educational research: planning, conducting, and evaluating 1950
quantitative and qualitative research (2nd ed.). Upper Saddle River, NJ: Pearson 1951
Education, Inc. 1952
1953
Cronan, T., Foltz, C., & Jones, T. (2006). Piracy, computer crime, and IS misuse at the 1954
university. Communications of the ACM, 49(6), 84-90. 1955
1956
Crossler, R., & Belanger, F. (2006, September). The effect of computer self-efficacy on 1957
security training effectiveness. Proceedings of the InfoSecD Conference’06, 1958
Kennesaw, GA. 1959
1960
D’Arcy, J. P. (2006). Security countermeasures and their impact on information systems 1961
misuse. A deterrence perspective. Dissertation Abstracts International. (UMI No. 1962
AAT 3203001). 1963
1964
D’Arcy, J., & Hovav, A. (2007). Towards a best fit between organization security 1965
countermeasures and information systems misuse behaviors. Journal of 1966
Information System Security, 3(2), 4-30. 1967
1968
D’Arcy, J., & Hovav, A. (2009). Does one size fit all? Examining the differential effects 1969
of IS security countermeasures. Journal of Business Ethics, 89(1), 59-71. 1970
1971
D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security 1972
countermeasures and its impact on information systems misuse: A deterrence 1973
approach. Information Systems Research, 20(1), 79-98. 1974
1975
Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of 1976
information technology. MIS Quarterly, 13(3), 319-340. 1977
1978
Davis, F.D., Bagozzi, R.P., & Warshaw, P.R. (1989). User acceptance of computer 1979
technology: A comparison of two theoretical models. Management Science, 35(8), 1980
982-1003. 1981
1982
1983
Dinev, T., Goo, J., Hu, Q., & Nam, K. (2008). User behaviour towards protective 1984
information technologies: The role of national cultural differences. Information 1985
Systems Journal, 19(4), 391-412. 1986
1987
91
Dinev, T., & Hu, Q. (2007). The centrality of awareness in the formation of user 1988
behavioral intention toward protective information technologies. Journal of the 1989
Association for Information Systems, 8(7), 386-408. 1990
1991
Dreu, C., & Nauta, A. (2009). Self-interest and other-orientation in organizational 1992
behavior: Implications for job performance, prosocial behavior, and personal 1993
initiative. Journal of Applied Psychology, 94(4), 913-926. 1994
1995
Drevin, L., Kruger, H., & Steyn, T. (2007). Value-focused assessment of ICT security 1996
awareness in an academic environment. Computers & Security, 26(1), 36-43. 1997
1998
Dworkin, J., Larson, R., & Hansen, D. (2003). Adolescents' accounts of growth 1999
experiences in youth activities. Journal of Youth and Adolescence, 32(1), 17-27. 2000
2001
Farrell, G., & Riley, M. (2011). Hackers take $1 billion a year as banks blame clients for 2002
crime. Retrieved August 09, 2011, from http://www.bloomberg.com/news/2011-2003
08-04/hackers-take-1-billion-a-year-from-company-accounts-banks-won-t-2004
indemnify.htm 2005
2006
Fischera, K. (1980). A theory of cognitive development: The control and construction of 2007
hierarchies of skills. Psychological Review, 87(6), 477-531. 2008
2009
Fishbein, M., & Ajzen, I. (1975). Belief, attitude, intention, and behavior. Reading, MA: 2010
Addison-Wesley. 2011
2012
Fornell, C., & Larcker, D. (1981), Evaluating structural equation models with 2013
unobservable 2014
variables and measurement error. Journal of Marketing Research, 18 (1), 39–50. 2015
2016
Foltz, B. (2004). Cyberterrorism, computer crime, and reality. Information Management 2017
& Computer Security, 12(2), 154-166. 2018
2019
Fowler, F. J., Jr. (2009). Survey research methods. (4th ed.). Thousand Oaks, CA: Sage. 2020
2021
Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security 2022
information. Information Systems Research, 16(2), 186-208. 2023
2024
Gefen, D. & Straub, D. W. (2005). A practical guide to factorial validity using PLS- 2025
Graph:tutorial and annotated example. Communications of the AIS, 16(1), 91–2026
109. 2027
2028
Gibbs, J. P. (1975). Crime, punishment, and deterrence. New York, NY: Elsevier. 2029
2030
Gravetter, F., & Wallnau, L. (2009). Essentials of statistics for the behavioral sciences. 2031
Belmont, CA: Wadsworth Publisher. 2032
2033
92
Haenlein, M., & Kaplan, A. (2004). A beginner’s guide to partial least squares analysis. 2034
Understanding Statistics, 3(4), 283–297. 2035
2036
Hart, C. (1998). Doing a literature review: Releasing the social science research 2037
imagination. London, UK: Sage. 2038
2039
Havelka, D., & Merhout, J. (2009). Toward a theory of information technology 2040
professional competence. The Journal of Computer Information Systems, 50(2), 2041
106-117. 2042
2043
Hovav, A., & D’Arcy, J. (2012). Applying an extended model of deterrence across 2044
cultures: An investigation of information systems misuse in the U.S. and South 2045
Korea. Information & Management, 49 (2), 99-110. 2046
2047
Kerlinger, F. N., & Lee, H. B. (2000). Foundations of behavioral research (4th ed.). 2048
46 Holt, NY: Harcourt College. 2049
2050
Korukonda, A. (1992). Managerial action skills in business education: Missing link or 2051
misplaced emphasis? Advanced Management Journal, 57(3), 27-35. 2052
2053
Lee, J., & Lee, Y. (2002). A holistic model of computer abuse within organizations. 2054
Information Management Computer Security, 10(2), 57–63. 2055
2056
Lee, S., Yoon, S., & Kim, J. (2008). The role of pluralistic ignorance in internet abuse. 2057
The Journal of Computer Information Systems, 48(3), 38-43. 2058
2059
Leonard, L., & Cronan, T. (2005). Attitude toward ethical behavior in computer use: A 2060
shifting model. Industrial Management and Data Systems, 105(9), 1150-1171. 2061
2062
Lerouge, C., Newton, S., & Blanton, J. E. (2005). Exploring the systems analyst skill set: 2063
Perceptions, preferences, age, and gender. Journal of Computer Information 2064
Systems, 45(3), 12-22. 2065
2066
Levy, Y. (2005). A case study of management skills comparison in online and on-campus 2067
MBA programs. International Journal of Information and Communication 2068
Technology Education, 1(2), 1-20. 2069
2070
Levy, Y. (2006). Accessing the value of e-learning systems. Hershey, PA: Information 2071
Science Publishing. 2072
2073
Levy, Y., & Green, B. (2009). An empirical study of computer self-efficacy and the 2074
technology acceptance model in the military: A case of a U.S. navy combat 2075
information system. Journal of Organizational and End User Computing, 21(3), 2076
1-2. 2077
2078
Mangione, T. (1995). Mail surveys: Improving the quality. Thousand Oaks, CA: Sage 2079
93
2080
Marakas, G., Yi, M., & Johnson, R. (1998). The multilevel and multifaceted character of 2081
computer self-efficacy: Toward clarification of the construct and an integrative 2082
framework for research. Information Systems Research, 9(2), 126-164. 2083
2084
McCoy, C. (2010). Perceived self-efficacy and technology proficiency in undergraduate 2085
college students. Computers & Education, 55(4), 1614-1617. 2086
2087
Mertler, C., & Vannatta, R. (2001). Advanced and multivariate statistical methods. Los 2088
Angeles, CA: Pyrczak. 2089
2090
Pahnila, S., Siponen, M., & Mahmood, A. (2007). Proceedings from HICSS '07: The 40th 2091
Hawaii International Conference on System Sciences. Waikoloa, HI: IEEE. 2092
2093
Parker, D. (1998). Fighting computer abuse – A new framework for protecting 2094
information. New York, NY: John Wiley & Sons. 2095
2096
Phelps, D. (2005). Information system security: Self-efficacy and security effectiveness 2097
in Florida libraries. Retrieved from ProQuest Dissertations & Theses. (ATT 2098
3183102). 2099
2100
Piccoli, G., Ahmad, R., & Ives, B. (2001). Web-based virtual learning environments: A 2101
research framework and a preliminary assessment of effectiveness in basic IT 2102
skills training. MIS Quarterly, 25(4), 401-427. 2103
2104
Pinsonneault, A., & Kraemer, K. (1993). Survey research methodology in management 2105
information systems: An assessment. Journal of Management Information 2106
Systems, 10(2), 75-105. 2107
2108
Pryor, C., Cormier, C., Bateman, B., Matzke, B., & Karen, B. (2010). Evaluation of a 2109
school-based train-the-trainer intervention program to teach first aid and risk 2110
reduction among high school students. The Journal of School Health, 80(9), 453-2111
460. 2112
2113
Ramim, M., & Levy, Y. (2006). Securing e-learning systems: A case of insider cyber 2114
attacks and novice IT management in a small university. Journal of Cases on 2115
Information Technology, 8(4) 24-34. 2116
2117
Rank, J., Pace, J., & Frese, M. (2004). Three avenues for future research on creativity, 2118
innovation, and initiative. Applied Psychology, 55(4), 518-528. 2119
2120
Rezgui, Y., & Marks, A. (2008). Information security awareness in higher education: An 2121
exploratory study. Computers & Security, 27(7-8), 241–253. 2122
2123
Rosenzweig, P. (2012, May 24). The alarming trend of cybersecurity breaches and 2124
94
failures in the U.S. government. Retrieved May 31, 2012, from 2125
http://www.heritage.org/research/reports/2012/05/the-alarming-trend-of-2126
cybersecurity-breaches-and-failures-in-the-us-government 2127
2128
Ross, C. (2006). Training nurses and technologists for trauma surgery. Journal of 2129
Trauma Nursing, 13(4), 193-196. 2130
2131
Ruighaver, A., Maynard, S., & Chang, S. (2007). Organizational security culture: 2132
Extending the end-user perspective. Computers & Security, 26(1), 56-62. 2133
2134
Sekaran, U. (2003). Research methods for business: A skill-building approach (4th 2135
ed.). New York, NY: John Wiley & Sons. 2136
2137
Solms, B., & Solms, R. (2004). The 10 deadly sins of information security management. 2138
Computers & Security, 23(5), 371-376. 2139
2140
Stevens, J. (2007). Intermediate statistics: A modern approach. New York, NY: 2141
Lawrence Erlbaum Associates. 2142
2143
Straub, D. W. (1986). Deterring computer abuse: The effectiveness of deterrent 2144
countermeasures in the computer security environment. Dissertation Abstracts 2145
International, 48(4), 813. (UMI No. 8710538) 2146
2147
Straub, D. W. (1989). Validating instruments in MIS research. MIS Quarterly, 13(2), 2148
147-169. 2149
2150
Straub, D. W. (1990). Effective IS security: An empirical study. Information System 2151
Research, 1(3), 255–276. 2152
2153
Straub, D. W., & Nance, W. D. (1990). Discovering and disciplining computer abuse in 2154
organizations: A field study. Management Information System Quarterly, 14(1), 2155
45–60. 2156
2157
Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning 2158
models for management decision making. Management Information Systems 2159
Quarterly, 22(4), 441-469. 2160
2161
Trochim, W.M.K. (2006). Design research methods knowledge base. Retrieved June 2162
14, 2012, from http://www.socialresearchmethods.net/kb/design.htm 2163
2164
Swinarski, M., & Parente, K. (2010). A study of gender differences with respect to 2165
internet socialization of adolescents. Journal of Business and Economics 2166
Research 8(6), 23-30. 2167
2168
Thomas, M. A. (2003). Web-based surveys. Columbus, Ohio: Ohio State University, 2169
Program Development and Evaluation department. 2170
95
2171
Thomson, K., & Solms, R. (2005). Information security obedience: A definition. 2172
Computers & Security, 24(1), 69-75. 2173
2174
Torkzadeh, G., & Lee, J. (2003). Measures of perceived end-user computing skills. 2175
Information & Management, 40, 607-615. 2176
2177
Torkzadeh, G., Chang, J., & Demirhan, D. (2006). A Contingency model of computer 2178
and internet self-efficacy. Information and Management, 43(2006), 541-550. 2179
2180 Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2006). Formulating 2181
information systems risk management strategies through cultural theory. 2182
Information Management & Computer Security, 14(3), 198-217. 2183
2184
Udo, G., Bagchi, K., & Kirs, J. (2010). An assessment of customers’ e-service quality 2185
perception, satisfaction and intention. International Journal of Information 2186
Management, 30(6), 481-492. 2187
2188
United States Census Bureau. (2012). Federal employees summary characteristics [Data 2189
file]. Retrieved from 2190
http://www.census.gov/compendia/statab/2012/tables/12s0500.pdf 2191
2192 Urbaczewski, A., & Jessup, L. M. (2002). Does electronic monitoring of employee 2193
Internet usage work? Association for Computing Machinery, 45(1), 80–83. 2194
2195
Vallacher, R., & Wegner, D. (1987). What do people think they're doing? Action 2196
identification and human behavior. Psychological Review, 94(1), 3-15. 2197
2198 Veiga, A., & Eloff, J. (2007). An information security governance framework. 2199
Information Systems Management, 24(4), 361-273. 2200
2201 Wetzels, M., Odekerken-Schröder, G., & Van-Oppen, C. (2009). Using PLS path 2202
modeling for assessing hierarchical construct models: Guidelines and empirical 2203
illustration. MIS Quarterly, 33(1), 177-195. 2204
2205
White House. (2009). Assuring a trusted and resilient information and 2206
communications infrastructure. Retrieved February 22, 2010, from 2207
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.p2208
df 2209
2210 Wyatt, G. (1990). Risk-taking and risk-avoiding behavior: The impact of some 2211
dispositional and situational variables. The Journal of Psychology, 124(4), 437–2212
447. 2213
2214
Wybo, M. D., & Straub, D. W. (1989). Protecting organizational information resources. 2215
Information Resources Management Journal, 2(4), 1–15. 2216